--- /dev/null
+From dbanerje@akamai.com Thu Dec 14 18:38:57 2017
+From: Debabrata Banerjee <dbanerje@akamai.com>
+Date: Wed, 13 Dec 2017 15:33:37 -0500
+Subject: Fix handling of verdicts after NF_QUEUE
+To: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, "David S . Miller" <davem@davemloft.net>, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, stable@vger.kernel.org, dbanerje@akamai.com
+Message-ID: <20171213203337.314-1-dbanerje@akamai.com>
+
+From: Debabrata Banerjee <dbanerje@akamai.com>
+
+[This fix is only needed for v4.9 stable since v4.10+ does not have the issue]
+
+A verdict of NF_STOLEN after NF_QUEUE will cause an incorrect return value
+and a potential kernel panic via double free of skb's
+
+This was broken by commit 7034b566a4e7 ("netfilter: fix nf_queue handling")
+and subsequently fixed in v4.10 by commit c63cbc460419 ("netfilter:
+use switch() to handle verdict cases from nf_hook_slow()"). However that
+commit cannot be cleanly cherry-picked to v4.9
+
+Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+---
+ net/netfilter/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/netfilter/core.c
++++ b/net/netfilter/core.c
+@@ -364,6 +364,11 @@ next_hook:
+ ret = nf_queue(skb, state, &entry, verdict);
+ if (ret == 1 && entry)
+ goto next_hook;
++ } else {
++ /* Implicit handling for NF_STOLEN, as well as any other
++ * non conventional verdicts.
++ */
++ ret = 0;
+ }
+ return ret;
+ }
--- /dev/null
+From 4f7f5551a760eb0124267be65763008169db7087 Mon Sep 17 00:00:00 2001
+From: Masamitsu Yamazaki <m-yamazaki@ah.jp.nec.com>
+Date: Wed, 15 Nov 2017 07:33:14 +0000
+Subject: ipmi: Stop timers before cleaning up the module
+
+From: Masamitsu Yamazaki <m-yamazaki@ah.jp.nec.com>
+
+commit 4f7f5551a760eb0124267be65763008169db7087 upstream.
+
+System may crash after unloading ipmi_si.ko module
+because a timer may remain and fire after the module cleaned up resources.
+
+cleanup_one_si() contains the following processing.
+
+ /*
+ * Make sure that interrupts, the timer and the thread are
+ * stopped and will not run again.
+ */
+ if (to_clean->irq_cleanup)
+ to_clean->irq_cleanup(to_clean);
+ wait_for_timer_and_thread(to_clean);
+
+ /*
+ * Timeouts are stopped, now make sure the interrupts are off
+ * in the BMC. Note that timers and CPU interrupts are off,
+ * so no need for locks.
+ */
+ while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) {
+ poll(to_clean);
+ schedule_timeout_uninterruptible(1);
+ }
+
+si_state changes as following in the while loop calling poll(to_clean).
+
+ SI_GETTING_MESSAGES
+ => SI_CHECKING_ENABLES
+ => SI_SETTING_ENABLES
+ => SI_GETTING_EVENTS
+ => SI_NORMAL
+
+As written in the code comments above,
+timers are expected to stop before the polling loop and not to run again.
+But the timer is set again in the following process
+when si_state becomes SI_SETTING_ENABLES.
+
+ => poll
+ => smi_event_handler
+ => handle_transaction_done
+ // smi_info->si_state == SI_SETTING_ENABLES
+ => start_getting_events
+ => start_new_msg
+ => smi_mod_timer
+ => mod_timer
+
+As a result, before the timer set in start_new_msg() expires,
+the polling loop may see si_state becoming SI_NORMAL
+and the module clean-up finishes.
+
+For example, hard LOCKUP and panic occurred as following.
+smi_timeout was called after smi_event_handler,
+kcs_event and hangs at port_inb()
+trying to access I/O port after release.
+
+ [exception RIP: port_inb+19]
+ RIP: ffffffffc0473053 RSP: ffff88069fdc3d80 RFLAGS: 00000006
+ RAX: ffff8806800f8e00 RBX: ffff880682bd9400 RCX: 0000000000000000
+ RDX: 0000000000000ca3 RSI: 0000000000000ca3 RDI: ffff8806800f8e40
+ RBP: ffff88069fdc3d80 R8: ffffffff81d86dfc R9: ffffffff81e36426
+ R10: 00000000000509f0 R11: 0000000000100000 R12: 0000000000]:000000
+ R13: 0000000000000000 R14: 0000000000000246 R15: ffff8806800f8e00
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0000
+ --- <NMI exception stack> ---
+
+To fix the problem I defined a flag, timer_can_start,
+as member of struct smi_info.
+The flag is enabled immediately after initializing the timer
+and disabled immediately before waiting for timer deletion.
+
+Fixes: 0cfec916e86d ("ipmi: Start the timer and thread on internal msgs")
+Signed-off-by: Yamazaki Masamitsu <m-yamazaki@ah.jp.nec.com>
+[Adjusted for recent changes in the driver.]
+[Some fairly major changes went into the IPMI driver in 4.15, so this
+ required a backport as the code had changed and moved to a different
+ file. The 4.14 version of this patch moved some code under an
+ if statement causing it to not apply to 4.7-4.13.]
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_si_intf.c | 44 ++++++++++++++++++++-------------------
+ 1 file changed, 23 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -241,6 +241,9 @@ struct smi_info {
+ /* The timer for this si. */
+ struct timer_list si_timer;
+
++ /* This flag is set, if the timer can be set */
++ bool timer_can_start;
++
+ /* This flag is set, if the timer is running (timer_pending() isn't enough) */
+ bool timer_running;
+
+@@ -416,6 +419,8 @@ out:
+
+ static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val)
+ {
++ if (!smi_info->timer_can_start)
++ return;
+ smi_info->last_timeout_jiffies = jiffies;
+ mod_timer(&smi_info->si_timer, new_val);
+ smi_info->timer_running = true;
+@@ -435,21 +440,18 @@ static void start_new_msg(struct smi_inf
+ smi_info->handlers->start_transaction(smi_info->si_sm, msg, size);
+ }
+
+-static void start_check_enables(struct smi_info *smi_info, bool start_timer)
++static void start_check_enables(struct smi_info *smi_info)
+ {
+ unsigned char msg[2];
+
+ msg[0] = (IPMI_NETFN_APP_REQUEST << 2);
+ msg[1] = IPMI_GET_BMC_GLOBAL_ENABLES_CMD;
+
+- if (start_timer)
+- start_new_msg(smi_info, msg, 2);
+- else
+- smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2);
++ start_new_msg(smi_info, msg, 2);
+ smi_info->si_state = SI_CHECKING_ENABLES;
+ }
+
+-static void start_clear_flags(struct smi_info *smi_info, bool start_timer)
++static void start_clear_flags(struct smi_info *smi_info)
+ {
+ unsigned char msg[3];
+
+@@ -458,10 +460,7 @@ static void start_clear_flags(struct smi
+ msg[1] = IPMI_CLEAR_MSG_FLAGS_CMD;
+ msg[2] = WDT_PRE_TIMEOUT_INT;
+
+- if (start_timer)
+- start_new_msg(smi_info, msg, 3);
+- else
+- smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3);
++ start_new_msg(smi_info, msg, 3);
+ smi_info->si_state = SI_CLEARING_FLAGS;
+ }
+
+@@ -496,11 +495,11 @@ static void start_getting_events(struct
+ * Note that we cannot just use disable_irq(), since the interrupt may
+ * be shared.
+ */
+-static inline bool disable_si_irq(struct smi_info *smi_info, bool start_timer)
++static inline bool disable_si_irq(struct smi_info *smi_info)
+ {
+ if ((smi_info->irq) && (!smi_info->interrupt_disabled)) {
+ smi_info->interrupt_disabled = true;
+- start_check_enables(smi_info, start_timer);
++ start_check_enables(smi_info);
+ return true;
+ }
+ return false;
+@@ -510,7 +509,7 @@ static inline bool enable_si_irq(struct
+ {
+ if ((smi_info->irq) && (smi_info->interrupt_disabled)) {
+ smi_info->interrupt_disabled = false;
+- start_check_enables(smi_info, true);
++ start_check_enables(smi_info);
+ return true;
+ }
+ return false;
+@@ -528,7 +527,7 @@ static struct ipmi_smi_msg *alloc_msg_ha
+
+ msg = ipmi_alloc_smi_msg();
+ if (!msg) {
+- if (!disable_si_irq(smi_info, true))
++ if (!disable_si_irq(smi_info))
+ smi_info->si_state = SI_NORMAL;
+ } else if (enable_si_irq(smi_info)) {
+ ipmi_free_smi_msg(msg);
+@@ -544,7 +543,7 @@ retry:
+ /* Watchdog pre-timeout */
+ smi_inc_stat(smi_info, watchdog_pretimeouts);
+
+- start_clear_flags(smi_info, true);
++ start_clear_flags(smi_info);
+ smi_info->msg_flags &= ~WDT_PRE_TIMEOUT_INT;
+ if (smi_info->intf)
+ ipmi_smi_watchdog_pretimeout(smi_info->intf);
+@@ -927,7 +926,7 @@ restart:
+ * disable and messages disabled.
+ */
+ if (smi_info->supports_event_msg_buff || smi_info->irq) {
+- start_check_enables(smi_info, true);
++ start_check_enables(smi_info);
+ } else {
+ smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
+ if (!smi_info->curr_msg)
+@@ -1234,6 +1233,7 @@ static int smi_start_processing(void
+
+ /* Set up the timer that drives the interface. */
+ setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi);
++ new_smi->timer_can_start = true;
+ smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES);
+
+ /* Try to claim any interrupts. */
+@@ -3448,10 +3448,12 @@ static void check_for_broken_irqs(struct
+ check_set_rcv_irq(smi_info);
+ }
+
+-static inline void wait_for_timer_and_thread(struct smi_info *smi_info)
++static inline void stop_timer_and_thread(struct smi_info *smi_info)
+ {
+ if (smi_info->thread != NULL)
+ kthread_stop(smi_info->thread);
++
++ smi_info->timer_can_start = false;
+ if (smi_info->timer_running)
+ del_timer_sync(&smi_info->si_timer);
+ }
+@@ -3593,7 +3595,7 @@ static int try_smi_init(struct smi_info
+ * Start clearing the flags before we enable interrupts or the
+ * timer to avoid racing with the timer.
+ */
+- start_clear_flags(new_smi, false);
++ start_clear_flags(new_smi);
+
+ /*
+ * IRQ is defined to be set when non-zero. req_events will
+@@ -3671,7 +3673,7 @@ static int try_smi_init(struct smi_info
+ return 0;
+
+ out_err_stop_timer:
+- wait_for_timer_and_thread(new_smi);
++ stop_timer_and_thread(new_smi);
+
+ out_err:
+ new_smi->interrupt_disabled = true;
+@@ -3865,7 +3867,7 @@ static void cleanup_one_si(struct smi_in
+ */
+ if (to_clean->irq_cleanup)
+ to_clean->irq_cleanup(to_clean);
+- wait_for_timer_and_thread(to_clean);
++ stop_timer_and_thread(to_clean);
+
+ /*
+ * Timeouts are stopped, now make sure the interrupts are off
+@@ -3876,7 +3878,7 @@ static void cleanup_one_si(struct smi_in
+ poll(to_clean);
+ schedule_timeout_uninterruptible(1);
+ }
+- disable_si_irq(to_clean, false);
++ disable_si_irq(to_clean);
+ while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) {
+ poll(to_clean);
+ schedule_timeout_uninterruptible(1);
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 28 Nov 2017 08:03:30 -0800
+Subject: net/packet: fix a race in packet_bind() and packet_notifier()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 15fe076edea787807a7cdc168df832544b58eba6 ]
+
+syzbot reported crashes [1] and provided a C repro easing bug hunting.
+
+When/if packet_do_bind() calls __unregister_prot_hook() and releases
+po->bind_lock, another thread can run packet_notifier() and process an
+NETDEV_UP event.
+
+This calls register_prot_hook() and hooks again the socket right before
+first thread is able to grab again po->bind_lock.
+
+Fixes this issue by temporarily setting po->num to 0, as suggested by
+David Miller.
+
+[1]
+dev_remove_pack: ffff8801bf16fa80 not found
+------------[ cut here ]------------
+kernel BUG at net/core/dev.c:7945! ( BUG_ON(!list_empty(&dev->ptype_all)); )
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+device syz0 entered promiscuous mode
+CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+task: ffff8801cc57a500 task.stack: ffff8801cc588000
+RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945
+RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293
+RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2
+RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810
+device syz0 entered promiscuous mode
+RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8
+R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0
+FS: 0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106
+ tun_detach drivers/net/tun.c:670 [inline]
+ tun_chr_close+0x49/0x60 drivers/net/tun.c:2845
+ __fput+0x333/0x7f0 fs/file_table.c:210
+ ____fput+0x15/0x20 fs/file_table.c:244
+ task_work_run+0x199/0x270 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x9bb/0x1ae0 kernel/exit.c:865
+ do_group_exit+0x149/0x400 kernel/exit.c:968
+ SYSC_exit_group kernel/exit.c:979 [inline]
+ SyS_exit_group+0x1d/0x20 kernel/exit.c:977
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+RIP: 0033:0x44ad19
+
+Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3101,6 +3101,10 @@ static int packet_do_bind(struct sock *s
+ if (need_rehook) {
+ if (po->running) {
+ rcu_read_unlock();
++ /* prevents packet_notifier() from calling
++ * register_prot_hook()
++ */
++ po->num = 0;
+ __unregister_prot_hook(sk, true);
+ rcu_read_lock();
+ dev_curr = po->prot_hook.dev;
+@@ -3109,6 +3113,7 @@ static int packet_do_bind(struct sock *s
+ dev->ifindex);
+ }
+
++ BUG_ON(po->running);
+ po->num = proto;
+ po->prot_hook.type = proto;
+
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Sebastian Sjoholm <ssjoholm@mac.com>
+Date: Mon, 20 Nov 2017 19:05:17 +0100
+Subject: net: qmi_wwan: add Quectel BG96 2c7c:0296
+
+From: Sebastian Sjoholm <ssjoholm@mac.com>
+
+
+[ Upstream commit f9409e7f086fa6c4623769b4b2f4f17a024d8143 ]
+
+Quectel BG96 is an Qualcomm MDM9206 based IoT modem, supporting both
+CAT-M and NB-IoT. Tested hardware is BG96 mounted on Quectel development
+board (EVB). The USB id is added to qmi_wwan.c to allow QMI
+communication with the BG96.
+
+Signed-off-by: Sebastian Sjoholm <ssjoholm@mac.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -936,6 +936,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
++ {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */
+
+ /* 4. Gobi 1000 devices */
+ {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 5 Dec 2017 12:45:56 -0800
+Subject: net: remove hlist_nulls_add_tail_rcu()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit d7efc6c11b277d9d80b99b1334a78bfe7d7edf10 ]
+
+Alexander Potapenko reported use of uninitialized memory [1]
+
+This happens when inserting a request socket into TCP ehash,
+in __sk_nulls_add_node_rcu(), since sk_reuseport is not initialized.
+
+Bug was added by commit d894ba18d4e4 ("soreuseport: fix ordering for
+mixed v4/v6 sockets")
+
+Note that d296ba60d8e2 ("soreuseport: Resolve merge conflict for v4/v6
+ordering fix") missed the opportunity to get rid of
+hlist_nulls_add_tail_rcu() :
+
+Both UDP sockets and TCP/DCCP listeners no longer use
+__sk_nulls_add_node_rcu() for their hash insertion.
+
+Since all other sockets have unique 4-tuple, the reuseport status
+has no special meaning, so we can always use hlist_nulls_add_head_rcu()
+for them and save few cycles/instructions.
+
+[1]
+
+==================================================================
+BUG: KMSAN: use of uninitialized memory in inet_ehash_insert+0xd40/0x1050
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.0+ #3288
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:52
+ kmsan_report+0x13f/0x1c0 mm/kmsan/kmsan.c:1016
+ __msan_warning_32+0x69/0xb0 mm/kmsan/kmsan_instr.c:766
+ __sk_nulls_add_node_rcu ./include/net/sock.h:684
+ inet_ehash_insert+0xd40/0x1050 net/ipv4/inet_hashtables.c:413
+ reqsk_queue_hash_req net/ipv4/inet_connection_sock.c:754
+ inet_csk_reqsk_queue_hash_add+0x1cc/0x300 net/ipv4/inet_connection_sock.c:765
+ tcp_conn_request+0x31e7/0x36f0 net/ipv4/tcp_input.c:6414
+ tcp_v4_conn_request+0x16d/0x220 net/ipv4/tcp_ipv4.c:1314
+ tcp_rcv_state_process+0x42a/0x7210 net/ipv4/tcp_input.c:5917
+ tcp_v4_do_rcv+0xa6a/0xcd0 net/ipv4/tcp_ipv4.c:1483
+ tcp_v4_rcv+0x3de0/0x4ab0 net/ipv4/tcp_ipv4.c:1763
+ ip_local_deliver_finish+0x6bb/0xcb0 net/ipv4/ip_input.c:216
+ NF_HOOK ./include/linux/netfilter.h:248
+ ip_local_deliver+0x3fa/0x480 net/ipv4/ip_input.c:257
+ dst_input ./include/net/dst.h:477
+ ip_rcv_finish+0x6fb/0x1540 net/ipv4/ip_input.c:397
+ NF_HOOK ./include/linux/netfilter.h:248
+ ip_rcv+0x10f6/0x15c0 net/ipv4/ip_input.c:488
+ __netif_receive_skb_core+0x36f6/0x3f60 net/core/dev.c:4298
+ __netif_receive_skb net/core/dev.c:4336
+ netif_receive_skb_internal+0x63c/0x19c0 net/core/dev.c:4497
+ napi_skb_finish net/core/dev.c:4858
+ napi_gro_receive+0x629/0xa50 net/core/dev.c:4889
+ e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4018
+ e1000_clean_rx_irq+0x1492/0x1d30
+drivers/net/ethernet/intel/e1000/e1000_main.c:4474
+ e1000_clean+0x43aa/0x5970 drivers/net/ethernet/intel/e1000/e1000_main.c:3819
+ napi_poll net/core/dev.c:5500
+ net_rx_action+0x73c/0x1820 net/core/dev.c:5566
+ __do_softirq+0x4b4/0x8dd kernel/softirq.c:284
+ invoke_softirq kernel/softirq.c:364
+ irq_exit+0x203/0x240 kernel/softirq.c:405
+ exiting_irq+0xe/0x10 ./arch/x86/include/asm/apic.h:638
+ do_IRQ+0x15e/0x1a0 arch/x86/kernel/irq.c:263
+ common_interrupt+0x86/0x86
+
+Fixes: d894ba18d4e4 ("soreuseport: fix ordering for mixed v4/v6 sockets")
+Fixes: d296ba60d8e2 ("soreuseport: Resolve merge conflict for v4/v6 ordering fix")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Alexander Potapenko <glider@google.com>
+Acked-by: Craig Gallek <kraig@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/rculist_nulls.h | 38 --------------------------------------
+ include/net/sock.h | 6 +-----
+ 2 files changed, 1 insertion(+), 43 deletions(-)
+
+--- a/include/linux/rculist_nulls.h
++++ b/include/linux/rculist_nulls.h
+@@ -100,44 +100,6 @@ static inline void hlist_nulls_add_head_
+ }
+
+ /**
+- * hlist_nulls_add_tail_rcu
+- * @n: the element to add to the hash list.
+- * @h: the list to add to.
+- *
+- * Description:
+- * Adds the specified element to the end of the specified hlist_nulls,
+- * while permitting racing traversals. NOTE: tail insertion requires
+- * list traversal.
+- *
+- * The caller must take whatever precautions are necessary
+- * (such as holding appropriate locks) to avoid racing
+- * with another list-mutation primitive, such as hlist_nulls_add_head_rcu()
+- * or hlist_nulls_del_rcu(), running on this same list.
+- * However, it is perfectly legal to run concurrently with
+- * the _rcu list-traversal primitives, such as
+- * hlist_nulls_for_each_entry_rcu(), used to prevent memory-consistency
+- * problems on Alpha CPUs. Regardless of the type of CPU, the
+- * list-traversal primitive must be guarded by rcu_read_lock().
+- */
+-static inline void hlist_nulls_add_tail_rcu(struct hlist_nulls_node *n,
+- struct hlist_nulls_head *h)
+-{
+- struct hlist_nulls_node *i, *last = NULL;
+-
+- for (i = hlist_nulls_first_rcu(h); !is_a_nulls(i);
+- i = hlist_nulls_next_rcu(i))
+- last = i;
+-
+- if (last) {
+- n->next = last->next;
+- n->pprev = &last->next;
+- rcu_assign_pointer(hlist_nulls_next_rcu(last), n);
+- } else {
+- hlist_nulls_add_head_rcu(n, h);
+- }
+-}
+-
+-/**
+ * hlist_nulls_for_each_entry_rcu - iterate over rcu list of given type
+ * @tpos: the type * to use as a loop cursor.
+ * @pos: the &struct hlist_nulls_node to use as a loop cursor.
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -648,11 +648,7 @@ static inline void sk_add_node_rcu(struc
+
+ static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list)
+ {
+- if (IS_ENABLED(CONFIG_IPV6) && sk->sk_reuseport &&
+- sk->sk_family == AF_INET6)
+- hlist_nulls_add_tail_rcu(&sk->sk_nulls_node, list);
+- else
+- hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list);
++ hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list);
+ }
+
+ static inline void sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list)
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Mike Maloney <maloney@google.com>
+Date: Tue, 28 Nov 2017 10:44:29 -0500
+Subject: packet: fix crash in fanout_demux_rollover()
+
+From: Mike Maloney <maloney@google.com>
+
+
+syzkaller found a race condition fanout_demux_rollover() while removing
+a packet socket from a fanout group.
+
+po->rollover is read and operated on during packet_rcv_fanout(), via
+fanout_demux_rollover(), but the pointer is currently cleared before the
+synchronization in packet_release(). It is safer to delay the cleanup
+until after synchronize_net() has been called, ensuring all calls to
+packet_rcv_fanout() for this socket have finished.
+
+To further simplify synchronization around the rollover structure, set
+po->rollover in fanout_add() only if there are no errors. This removes
+the need for rcu in the struct and in the call to
+packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...).
+
+Crashing stack trace:
+ fanout_demux_rollover+0xb6/0x4d0 net/packet/af_packet.c:1392
+ packet_rcv_fanout+0x649/0x7c8 net/packet/af_packet.c:1487
+ dev_queue_xmit_nit+0x835/0xc10 net/core/dev.c:1953
+ xmit_one net/core/dev.c:2975 [inline]
+ dev_hard_start_xmit+0x16b/0xac0 net/core/dev.c:2995
+ __dev_queue_xmit+0x17a4/0x2050 net/core/dev.c:3476
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3509
+ neigh_connected_output+0x489/0x720 net/core/neighbour.c:1379
+ neigh_output include/net/neighbour.h:482 [inline]
+ ip6_finish_output2+0xad1/0x22a0 net/ipv6/ip6_output.c:120
+ ip6_finish_output+0x2f9/0x920 net/ipv6/ip6_output.c:146
+ NF_HOOK_COND include/linux/netfilter.h:239 [inline]
+ ip6_output+0x1f4/0x850 net/ipv6/ip6_output.c:163
+ dst_output include/net/dst.h:459 [inline]
+ NF_HOOK.constprop.35+0xff/0x630 include/linux/netfilter.h:250
+ mld_sendpack+0x6a8/0xcc0 net/ipv6/mcast.c:1660
+ mld_send_initial_cr.part.24+0x103/0x150 net/ipv6/mcast.c:2072
+ mld_send_initial_cr net/ipv6/mcast.c:2056 [inline]
+ ipv6_mc_dad_complete+0x99/0x130 net/ipv6/mcast.c:2079
+ addrconf_dad_completed+0x595/0x970 net/ipv6/addrconf.c:4039
+ addrconf_dad_work+0xac9/0x1160 net/ipv6/addrconf.c:3971
+ process_one_work+0xbf0/0x1bc0 kernel/workqueue.c:2113
+ worker_thread+0x223/0x1990 kernel/workqueue.c:2247
+ kthread+0x35e/0x430 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432
+
+Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
+Fixes: 509c7a1ecc860 ("packet: avoid panic in packet_getsockopt()")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Mike Maloney <maloney@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 32 ++++++++++----------------------
+ net/packet/internal.h | 1 -
+ 2 files changed, 10 insertions(+), 23 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1661,7 +1661,6 @@ static int fanout_add(struct sock *sk, u
+ atomic_long_set(&rollover->num, 0);
+ atomic_long_set(&rollover->num_huge, 0);
+ atomic_long_set(&rollover->num_failed, 0);
+- po->rollover = rollover;
+ }
+
+ match = NULL;
+@@ -1706,6 +1705,8 @@ static int fanout_add(struct sock *sk, u
+ if (atomic_read(&match->sk_ref) < PACKET_FANOUT_MAX) {
+ __dev_remove_pack(&po->prot_hook);
+ po->fanout = match;
++ po->rollover = rollover;
++ rollover = NULL;
+ atomic_inc(&match->sk_ref);
+ __fanout_link(sk, po);
+ err = 0;
+@@ -1719,10 +1720,7 @@ static int fanout_add(struct sock *sk, u
+ }
+
+ out:
+- if (err && rollover) {
+- kfree_rcu(rollover, rcu);
+- po->rollover = NULL;
+- }
++ kfree(rollover);
+ mutex_unlock(&fanout_mutex);
+ return err;
+ }
+@@ -1746,11 +1744,6 @@ static struct packet_fanout *fanout_rele
+ list_del(&f->list);
+ else
+ f = NULL;
+-
+- if (po->rollover) {
+- kfree_rcu(po->rollover, rcu);
+- po->rollover = NULL;
+- }
+ }
+ mutex_unlock(&fanout_mutex);
+
+@@ -3039,6 +3032,7 @@ static int packet_release(struct socket
+ synchronize_net();
+
+ if (f) {
++ kfree(po->rollover);
+ fanout_release_data(f);
+ kfree(f);
+ }
+@@ -3853,7 +3847,6 @@ static int packet_getsockopt(struct sock
+ void *data = &val;
+ union tpacket_stats_u st;
+ struct tpacket_rollover_stats rstats;
+- struct packet_rollover *rollover;
+
+ if (level != SOL_PACKET)
+ return -ENOPROTOOPT;
+@@ -3932,18 +3925,13 @@ static int packet_getsockopt(struct sock
+ 0);
+ break;
+ case PACKET_ROLLOVER_STATS:
+- rcu_read_lock();
+- rollover = rcu_dereference(po->rollover);
+- if (rollover) {
+- rstats.tp_all = atomic_long_read(&rollover->num);
+- rstats.tp_huge = atomic_long_read(&rollover->num_huge);
+- rstats.tp_failed = atomic_long_read(&rollover->num_failed);
+- data = &rstats;
+- lv = sizeof(rstats);
+- }
+- rcu_read_unlock();
+- if (!rollover)
++ if (!po->rollover)
+ return -EINVAL;
++ rstats.tp_all = atomic_long_read(&po->rollover->num);
++ rstats.tp_huge = atomic_long_read(&po->rollover->num_huge);
++ rstats.tp_failed = atomic_long_read(&po->rollover->num_failed);
++ data = &rstats;
++ lv = sizeof(rstats);
+ break;
+ case PACKET_TX_HAS_OFF:
+ val = po->tp_tx_has_off;
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -92,7 +92,6 @@ struct packet_fanout {
+
+ struct packet_rollover {
+ int sock;
+- struct rcu_head rcu;
+ atomic_long_t num;
+ atomic_long_t num_huge;
+ atomic_long_t num_failed;
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Håkon Bugge <Haakon.Bugge@oracle.com>
+Date: Wed, 6 Dec 2017 17:18:28 +0100
+Subject: rds: Fix NULL pointer dereference in __rds_rdma_map
+
+From: Håkon Bugge <Haakon.Bugge@oracle.com>
+
+
+[ Upstream commit f3069c6d33f6ae63a1668737bc78aaaa51bff7ca ]
+
+This is a fix for syzkaller719569, where memory registration was
+attempted without any underlying transport being loaded.
+
+Analysis of the case reveals that it is the setsockopt() RDS_GET_MR
+(2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable.
+
+Here is an example stack trace when the bug is hit:
+
+BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0
+IP: __rds_rdma_map+0x36/0x440 [rds]
+PGD 2f93d03067 P4D 2f93d03067 PUD 2f93d02067 PMD 0
+Oops: 0000 [#1] SMP
+Modules linked in: bridge stp llc tun rpcsec_gss_krb5 nfsv4
+dns_resolver nfs fscache rds binfmt_misc sb_edac intel_powerclamp
+coretemp kvm_intel kvm irqbypass crct10dif_pclmul c rc32_pclmul
+ghash_clmulni_intel pcbc aesni_intel crypto_simd glue_helper cryptd
+iTCO_wdt mei_me sg iTCO_vendor_support ipmi_si mei ipmi_devintf nfsd
+shpchp pcspkr i2c_i801 ioatd ma ipmi_msghandler wmi lpc_ich mfd_core
+auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2
+mgag200 i2c_algo_bit drm_kms_helper ixgbe syscopyarea ahci sysfillrect
+sysimgblt libahci mdio fb_sys_fops ttm ptp libata sd_mod mlx4_core drm
+crc32c_intel pps_core megaraid_sas i2c_core dca dm_mirror
+dm_region_hash dm_log dm_mod
+CPU: 48 PID: 45787 Comm: repro_set2 Not tainted 4.14.2-3.el7uek.x86_64 #2
+Hardware name: Oracle Corporation ORACLE SERVER X5-2L/ASM,MOBO TRAY,2U, BIOS 31110000 03/03/2017
+task: ffff882f9190db00 task.stack: ffffc9002b994000
+RIP: 0010:__rds_rdma_map+0x36/0x440 [rds]
+RSP: 0018:ffffc9002b997df0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffff882fa2182580 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffc9002b997e40 RDI: ffff882fa2182580
+RBP: ffffc9002b997e30 R08: 0000000000000000 R09: 0000000000000002
+R10: ffff885fb29e3838 R11: 0000000000000000 R12: ffff882fa2182580
+R13: ffff882fa2182580 R14: 0000000000000002 R15: 0000000020000ffc
+FS: 00007fbffa20b700(0000) GS:ffff882fbfb80000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000000000c0 CR3: 0000002f98a66006 CR4: 00000000001606e0
+Call Trace:
+ rds_get_mr+0x56/0x80 [rds]
+ rds_setsockopt+0x172/0x340 [rds]
+ ? __fget_light+0x25/0x60
+ ? __fdget+0x13/0x20
+ SyS_setsockopt+0x80/0xe0
+ do_syscall_64+0x67/0x1b0
+ entry_SYSCALL64_slow_path+0x25/0x25
+RIP: 0033:0x7fbff9b117f9
+RSP: 002b:00007fbffa20aed8 EFLAGS: 00000293 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00000000000c84a4 RCX: 00007fbff9b117f9
+RDX: 0000000000000002 RSI: 0000400000000114 RDI: 000000000000109b
+RBP: 00007fbffa20af10 R08: 0000000000000020 R09: 00007fbff9dd7860
+R10: 0000000020000ffc R11: 0000000000000293 R12: 0000000000000000
+R13: 00007fbffa20b9c0 R14: 00007fbffa20b700 R15: 0000000000000021
+
+Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 18 8b 87 f0 02 00 00 48
+89 55 d0 48 89 4d c8 85 c0 0f 84 2d 03 00 00 48 8b 87 00 03 00 00 <48>
+83 b8 c0 00 00 00 00 0f 84 25 03 00 0 0 48 8b 06 48 8b 56 08
+
+The fix is to check the existence of an underlying transport in
+__rds_rdma_map().
+
+Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -183,7 +183,7 @@ static int __rds_rdma_map(struct rds_soc
+ long i;
+ int ret;
+
+- if (rs->rs_bound_addr == 0) {
++ if (rs->rs_bound_addr == 0 || !rs->rs_transport) {
+ ret = -ENOTCONN; /* XXX not a great errno */
+ goto out;
+ }
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Fri, 1 Dec 2017 10:14:51 +0100
+Subject: s390/qeth: build max size GSO skbs on L2 devices
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 0cbff6d4546613330a1c5f139f5c368e4ce33ca1 ]
+
+The current GSO skb size limit was copy&pasted over from the L3 path,
+where it is needed due to a TSO limitation.
+As L2 devices don't offer TSO support (and thus all GSO skbs are
+segmented before they reach the driver), there's no reason to restrict
+the stack in how large it may build the GSO skbs.
+
+Fixes: d52aec97e5bc ("qeth: enable scatter/gather in layer 2 mode")
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l2_main.c | 2 --
+ drivers/s390/net/qeth_l3_main.c | 4 ++--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -1140,8 +1140,6 @@ static int qeth_l2_setup_netdev(struct q
+ }
+ card->info.broadcast_capable = 1;
+ qeth_l2_request_initial_mac(card);
+- card->dev->gso_max_size = (QETH_MAX_BUFFER_ELEMENTS(card) - 1) *
+- PAGE_SIZE;
+ SET_NETDEV_DEV(card->dev, &card->gdev->dev);
+ netif_napi_add(card->dev, &card->napi, qeth_l2_poll, QETH_NAPI_WEIGHT);
+ netif_carrier_off(card->dev);
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -3147,8 +3147,8 @@ static int qeth_l3_setup_netdev(struct q
+ NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_CTAG_FILTER;
+ netif_keep_dst(card->dev);
+- card->dev->gso_max_size = (QETH_MAX_BUFFER_ELEMENTS(card) - 1) *
+- PAGE_SIZE;
++ netif_set_gso_max_size(card->dev, (QETH_MAX_BUFFER_ELEMENTS(card) - 1) *
++ PAGE_SIZE);
+
+ SET_NETDEV_DEV(card->dev, &card->gdev->dev);
+ netif_napi_add(card->dev, &card->napi, qeth_l3_poll, QETH_NAPI_WEIGHT);
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Wed, 18 Oct 2017 17:40:17 +0200
+Subject: s390/qeth: fix early exit from error path
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 83cf79a2fec3cf499eb6cb9eb608656fc2a82776 ]
+
+When the allocation of the addr buffer fails, we need to free
+our refcount on the inetdevice before returning.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l3_main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -1593,7 +1593,7 @@ static void qeth_l3_free_vlan_addresses4
+
+ addr = qeth_l3_get_addr_buffer(QETH_PROT_IPV4);
+ if (!addr)
+- return;
++ goto out;
+
+ spin_lock_bh(&card->ip_lock);
+
+@@ -1607,6 +1607,7 @@ static void qeth_l3_free_vlan_addresses4
+ spin_unlock_bh(&card->ip_lock);
+
+ kfree(addr);
++out:
+ in_dev_put(in_dev);
+ }
+
+@@ -1631,7 +1632,7 @@ static void qeth_l3_free_vlan_addresses6
+
+ addr = qeth_l3_get_addr_buffer(QETH_PROT_IPV6);
+ if (!addr)
+- return;
++ goto out;
+
+ spin_lock_bh(&card->ip_lock);
+
+@@ -1646,6 +1647,7 @@ static void qeth_l3_free_vlan_addresses6
+ spin_unlock_bh(&card->ip_lock);
+
+ kfree(addr);
++out:
+ in6_dev_put(in6_dev);
+ #endif /* CONFIG_QETH_IPV6 */
+ }
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Fri, 1 Dec 2017 10:14:50 +0100
+Subject: s390/qeth: fix GSO throughput regression
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 6d69b1f1eb7a2edf8a3547f361c61f2538e054bb ]
+
+Using GSO with small MTUs currently results in a substantial throughput
+regression - which is caused by how qeth needs to map non-linear skbs
+into its IO buffer elements:
+compared to a linear skb, each GSO-segmented skb effectively consumes
+twice as many buffer elements (ie two instead of one) due to the
+additional header-only part. This causes the Output Queue to be
+congested with low-utilized IO buffers.
+
+Fix this as follows:
+If the MSS is low enough so that a non-SG GSO segmentation produces
+order-0 skbs (currently ~3500 byte), opt out from NETIF_F_SG. This is
+where we anticipate the biggest savings, since an SG-enabled
+GSO segmentation produces skbs that always consume at least two
+buffer elements.
+
+Larger MSS values continue to get a SG-enabled GSO segmentation, since
+1) the relative overhead of the additional header-only buffer element
+becomes less noticeable, and
+2) the linearization overhead increases.
+
+With the throughput regression fixed, re-enable NETIF_F_SG by default to
+reap the significant CPU savings of GSO.
+
+Fixes: 5722963a8e83 ("qeth: do not turn on SG per default")
+Reported-by: Nils Hoppmann <niho@de.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core.h | 3 +++
+ drivers/s390/net/qeth_core_main.c | 31 +++++++++++++++++++++++++++++++
+ drivers/s390/net/qeth_l2_main.c | 2 ++
+ drivers/s390/net/qeth_l3_main.c | 2 ++
+ 4 files changed, 38 insertions(+)
+
+--- a/drivers/s390/net/qeth_core.h
++++ b/drivers/s390/net/qeth_core.h
+@@ -1004,6 +1004,9 @@ struct qeth_cmd_buffer *qeth_get_setassp
+ int qeth_set_features(struct net_device *, netdev_features_t);
+ int qeth_recover_features(struct net_device *);
+ netdev_features_t qeth_fix_features(struct net_device *, netdev_features_t);
++netdev_features_t qeth_features_check(struct sk_buff *skb,
++ struct net_device *dev,
++ netdev_features_t features);
+
+ /* exports for OSN */
+ int qeth_osn_assist(struct net_device *, void *, int);
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -19,6 +19,11 @@
+ #include <linux/mii.h>
+ #include <linux/kthread.h>
+ #include <linux/slab.h>
++#include <linux/if_vlan.h>
++#include <linux/netdevice.h>
++#include <linux/netdev_features.h>
++#include <linux/skbuff.h>
++
+ #include <net/iucv/af_iucv.h>
+ #include <net/dsfield.h>
+
+@@ -6240,6 +6245,32 @@ netdev_features_t qeth_fix_features(stru
+ }
+ EXPORT_SYMBOL_GPL(qeth_fix_features);
+
++netdev_features_t qeth_features_check(struct sk_buff *skb,
++ struct net_device *dev,
++ netdev_features_t features)
++{
++ /* GSO segmentation builds skbs with
++ * a (small) linear part for the headers, and
++ * page frags for the data.
++ * Compared to a linear skb, the header-only part consumes an
++ * additional buffer element. This reduces buffer utilization, and
++ * hurts throughput. So compress small segments into one element.
++ */
++ if (netif_needs_gso(skb, features)) {
++ /* match skb_segment(): */
++ unsigned int doffset = skb->data - skb_mac_header(skb);
++ unsigned int hsize = skb_shinfo(skb)->gso_size;
++ unsigned int hroom = skb_headroom(skb);
++
++ /* linearize only if resulting skb allocations are order-0: */
++ if (SKB_DATA_ALIGN(hroom + doffset + hsize) <= SKB_MAX_HEAD(0))
++ features &= ~NETIF_F_SG;
++ }
++
++ return vlan_features_check(skb, features);
++}
++EXPORT_SYMBOL_GPL(qeth_features_check);
++
+ static int __init qeth_core_init(void)
+ {
+ int rc;
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -1084,6 +1084,7 @@ static const struct net_device_ops qeth_
+ .ndo_stop = qeth_l2_stop,
+ .ndo_get_stats = qeth_get_stats,
+ .ndo_start_xmit = qeth_l2_hard_start_xmit,
++ .ndo_features_check = qeth_features_check,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_set_rx_mode = qeth_l2_set_rx_mode,
+ .ndo_do_ioctl = qeth_l2_do_ioctl,
+@@ -1128,6 +1129,7 @@ static int qeth_l2_setup_netdev(struct q
+ if (card->info.type == QETH_CARD_TYPE_OSD && !card->info.guestlan) {
+ card->dev->hw_features = NETIF_F_SG;
+ card->dev->vlan_features = NETIF_F_SG;
++ card->dev->features |= NETIF_F_SG;
+ /* OSA 3S and earlier has no RX/TX support */
+ if (qeth_is_supported(card, IPA_OUTBOUND_CHECKSUM)) {
+ card->dev->hw_features |= NETIF_F_IP_CSUM;
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -3066,6 +3066,7 @@ static const struct net_device_ops qeth_
+ .ndo_stop = qeth_l3_stop,
+ .ndo_get_stats = qeth_get_stats,
+ .ndo_start_xmit = qeth_l3_hard_start_xmit,
++ .ndo_features_check = qeth_features_check,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_set_rx_mode = qeth_l3_set_multicast_list,
+ .ndo_do_ioctl = qeth_l3_do_ioctl,
+@@ -3122,6 +3123,7 @@ static int qeth_l3_setup_netdev(struct q
+ card->dev->vlan_features = NETIF_F_SG |
+ NETIF_F_RXCSUM | NETIF_F_IP_CSUM |
+ NETIF_F_TSO;
++ card->dev->features |= NETIF_F_SG;
+ }
+ }
+ } else if (card->info.type == QETH_CARD_TYPE_IQD) {
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Fri, 1 Dec 2017 10:14:49 +0100
+Subject: s390/qeth: fix thinko in IPv4 multicast address tracking
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upsteam commit bc3ab70584696cb798b9e1e0ac8e6ced5fd4c3b8 ]
+
+Commit 5f78e29ceebf ("qeth: optimize IP handling in rx_mode callback")
+reworked how secondary addresses are managed for qeth devices.
+Instead of dropping & subsequently re-adding all addresses on every
+ndo_set_rx_mode() call, qeth now keeps track of the addresses that are
+currently registered with the HW.
+On a ndo_set_rx_mode(), we thus only need to do (de-)registration
+requests for the addresses that have actually changed.
+
+On L3 devices, the lookup for IPv4 Multicast addresses checks the wrong
+hashtable - and thus never finds a match. As a result, we first delete
+*all* such addresses, and then re-add them again. So each set_rx_mode()
+causes a short period where the IPv4 Multicast addresses are not
+registered, and the card stops forwarding inbound traffic for them.
+
+Fix this by setting the ->is_multicast flag on the lookup object, thus
+enabling qeth_l3_ip_from_hash() to search the correct hashtable and
+find a match there.
+
+Fixes: 5f78e29ceebf ("qeth: optimize IP handling in rx_mode callback")
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l3_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -1416,6 +1416,7 @@ qeth_l3_add_mc_to_hash(struct qeth_card
+
+ tmp->u.a4.addr = im4->multiaddr;
+ memcpy(tmp->mac, buf, sizeof(tmp->mac));
++ tmp->is_multicast = 1;
+
+ ipm = qeth_l3_ip_from_hash(card, tmp);
+ if (ipm) {
--- /dev/null
+net-qmi_wwan-add-quectel-bg96-2c7c-0296.patch
+s390-qeth-fix-early-exit-from-error-path.patch
+tipc-fix-memory-leak-in-tipc_accept_from_sock.patch
+rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch
+sit-update-frag_off-info.patch
+packet-fix-crash-in-fanout_demux_rollover.patch
+net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch
+usbnet-fix-alignment-for-frames-with-no-ethernet-header.patch
+net-remove-hlist_nulls_add_tail_rcu.patch
+stmmac-reset-last-tso-segment-size-after-device-open.patch
+tcp-dccp-block-bh-before-arming-time_wait-timer.patch
+s390-qeth-build-max-size-gso-skbs-on-l2-devices.patch
+s390-qeth-fix-gso-throughput-regression.patch
+s390-qeth-fix-thinko-in-ipv4-multicast-address-tracking.patch
+tipc-call-tipc_rcv-only-if-bearer-is-up-in-tipc_udp_recv.patch
+fix-handling-of-verdicts-after-nf_queue.patch
+ipmi-stop-timers-before-cleaning-up-the-module.patch
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 30 Nov 2017 10:41:14 +0800
+Subject: sit: update frag_off info
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit f859b4af1c52493ec21173ccc73d0b60029b5b88 ]
+
+After parsing the sit netlink change info, we forget to update frag_off in
+ipip6_tunnel_update(). Fix it by assigning frag_off with new value.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1085,6 +1085,7 @@ static void ipip6_tunnel_update(struct i
+ ipip6_tunnel_link(sitn, t);
+ t->parms.iph.ttl = p->iph.ttl;
+ t->parms.iph.tos = p->iph.tos;
++ t->parms.iph.frag_off = p->iph.frag_off;
+ if (t->parms.link != p->link) {
+ t->parms.link = p->link;
+ ipip6_tunnel_bind_dev(t->dev);
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Lars Persson <lars.persson@axis.com>
+Date: Fri, 1 Dec 2017 11:12:44 +0100
+Subject: stmmac: reset last TSO segment size after device open
+
+From: Lars Persson <lars.persson@axis.com>
+
+
+[ Upstream commit 45ab4b13e46325d00f4acdb365d406e941a15f81 ]
+
+The mss variable tracks the last max segment size sent to the TSO
+engine. We do not update the hardware as long as we receive skb:s with
+the same value in gso_size.
+
+During a network device down/up cycle (mapped to stmmac_release() and
+stmmac_open() callbacks) we issue a reset to the hardware and it
+forgets the setting for mss. However we did not zero out our mss
+variable so the next transmission of a gso packet happens with an
+undefined hardware setting.
+
+This triggers a hang in the TSO engine and eventuelly the netdev
+watchdog will bark.
+
+Fixes: f748be531d70 ("stmmac: support new GMAC4")
+Signed-off-by: Lars Persson <larper@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1795,6 +1795,7 @@ static int stmmac_open(struct net_device
+
+ priv->dma_buf_sz = STMMAC_ALIGN(buf_sz);
+ priv->rx_copybreak = STMMAC_RX_COPYBREAK;
++ priv->mss = 0;
+
+ ret = alloc_dma_desc_resources(priv);
+ if (ret < 0) {
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 1 Dec 2017 10:06:56 -0800
+Subject: tcp/dccp: block bh before arming time_wait timer
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit cfac7f836a715b91f08c851df915d401a4d52783 ]
+
+Maciej Żenczykowski reported some panics in tcp_twsk_destructor()
+that might be caused by the following bug.
+
+timewait timer is pinned to the cpu, because we want to transition
+timwewait refcount from 0 to 4 in one go, once everything has been
+initialized.
+
+At the time commit ed2e92394589 ("tcp/dccp: fix timewait races in timer
+handling") was merged, TCP was always running from BH habdler.
+
+After commit 5413d1babe8f ("net: do not block BH while processing
+socket backlog") we definitely can run tcp_time_wait() from process
+context.
+
+We need to block BH in the critical section so that the pinned timer
+has still its purpose.
+
+This bug is more likely to happen under stress and when very small RTO
+are used in datacenter flows.
+
+Fixes: 5413d1babe8f ("net: do not block BH while processing socket backlog")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Maciej Żenczykowski <maze@google.com>
+Acked-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/minisocks.c | 6 ++++++
+ net/ipv4/tcp_minisocks.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/net/dccp/minisocks.c
++++ b/net/dccp/minisocks.c
+@@ -57,10 +57,16 @@ void dccp_time_wait(struct sock *sk, int
+ if (state == DCCP_TIME_WAIT)
+ timeo = DCCP_TIMEWAIT_LEN;
+
++ /* tw_timer is pinned, so we need to make sure BH are disabled
++ * in following section, otherwise timer handler could run before
++ * we complete the initialization.
++ */
++ local_bh_disable();
+ inet_twsk_schedule(tw, timeo);
+ /* Linkage updates. */
+ __inet_twsk_hashdance(tw, sk, &dccp_hashinfo);
+ inet_twsk_put(tw);
++ local_bh_enable();
+ } else {
+ /* Sorry, if we're out of memory, just CLOSE this
+ * socket up. We've got bigger problems than
+--- a/net/ipv4/tcp_minisocks.c
++++ b/net/ipv4/tcp_minisocks.c
+@@ -328,10 +328,16 @@ void tcp_time_wait(struct sock *sk, int
+ timeo = TCP_TIMEWAIT_LEN;
+ }
+
++ /* tw_timer is pinned, so we need to make sure BH are disabled
++ * in following section, otherwise timer handler could run before
++ * we complete the initialization.
++ */
++ local_bh_disable();
+ inet_twsk_schedule(tw, timeo);
+ /* Linkage updates. */
+ __inet_twsk_hashdance(tw, sk, &tcp_hashinfo);
+ inet_twsk_put(tw);
++ local_bh_enable();
+ } else {
+ /* Sorry, if we're out of memory, just CLOSE this
+ * socket up. We've got bigger problems than
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Wed, 29 Nov 2017 12:48:42 +0200
+Subject: tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv()
+
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+
+
+[ Upstream commit c7799c067c2ae33e348508c8afec354f3257ff25 ]
+
+Remove the second tipc_rcv() call in tipc_udp_recv(). We have just
+checked that the bearer is not up, and calling tipc_rcv() with a bearer
+that is not up leads to a TIPC div-by-zero crash in
+tipc_node_calculate_timer(). The crash is rare in practice, but can
+happen like this:
+
+ We're enabling a bearer, but it's not yet up and fully initialized.
+ At the same time we receive a discovery packet, and in tipc_udp_recv()
+ we end up calling tipc_rcv() with the not-yet-initialized bearer,
+ causing later the div-by-zero crash in tipc_node_calculate_timer().
+
+Jon Maloy explains the impact of removing the second tipc_rcv() call:
+ "link setup in the worst case will be delayed until the next arriving
+ discovery messages, 1 sec later, and this is an acceptable delay."
+
+As the tipc_rcv() call is removed, just leave the function via the
+rcu_out label, so that we will kfree_skb().
+
+[ 12.590450] Own node address <1.1.1>, network identity 1
+[ 12.668088] divide error: 0000 [#1] SMP
+[ 12.676952] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.14.2-dirty #1
+[ 12.679225] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
+[ 12.682095] task: ffff8c2a761edb80 task.stack: ffffa41cc0cac000
+[ 12.684087] RIP: 0010:tipc_node_calculate_timer.isra.12+0x45/0x60 [tipc]
+[ 12.686486] RSP: 0018:ffff8c2a7fc838a0 EFLAGS: 00010246
+[ 12.688451] RAX: 0000000000000000 RBX: ffff8c2a5b382600 RCX: 0000000000000000
+[ 12.691197] RDX: 0000000000000000 RSI: ffff8c2a5b382600 RDI: ffff8c2a5b382600
+[ 12.693945] RBP: ffff8c2a7fc838b0 R08: 0000000000000001 R09: 0000000000000001
+[ 12.696632] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8c2a5d8949d8
+[ 12.699491] R13: ffffffff95ede400 R14: 0000000000000000 R15: ffff8c2a5d894800
+[ 12.702338] FS: 0000000000000000(0000) GS:ffff8c2a7fc80000(0000) knlGS:0000000000000000
+[ 12.705099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 12.706776] CR2: 0000000001bb9440 CR3: 00000000bd009001 CR4: 00000000003606e0
+[ 12.708847] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 12.711016] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 12.712627] Call Trace:
+[ 12.713390] <IRQ>
+[ 12.714011] tipc_node_check_dest+0x2e8/0x350 [tipc]
+[ 12.715286] tipc_disc_rcv+0x14d/0x1d0 [tipc]
+[ 12.716370] tipc_rcv+0x8b0/0xd40 [tipc]
+[ 12.717396] ? minmax_running_min+0x2f/0x60
+[ 12.718248] ? dst_alloc+0x4c/0xa0
+[ 12.718964] ? tcp_ack+0xaf1/0x10b0
+[ 12.719658] ? tipc_udp_is_known_peer+0xa0/0xa0 [tipc]
+[ 12.720634] tipc_udp_recv+0x71/0x1d0 [tipc]
+[ 12.721459] ? dst_alloc+0x4c/0xa0
+[ 12.722130] udp_queue_rcv_skb+0x264/0x490
+[ 12.722924] __udp4_lib_rcv+0x21e/0x990
+[ 12.723670] ? ip_route_input_rcu+0x2dd/0xbf0
+[ 12.724442] ? tcp_v4_rcv+0x958/0xa40
+[ 12.725039] udp_rcv+0x1a/0x20
+[ 12.725587] ip_local_deliver_finish+0x97/0x1d0
+[ 12.726323] ip_local_deliver+0xaf/0xc0
+[ 12.726959] ? ip_route_input_noref+0x19/0x20
+[ 12.727689] ip_rcv_finish+0xdd/0x3b0
+[ 12.728307] ip_rcv+0x2ac/0x360
+[ 12.728839] __netif_receive_skb_core+0x6fb/0xa90
+[ 12.729580] ? udp4_gro_receive+0x1a7/0x2c0
+[ 12.730274] __netif_receive_skb+0x1d/0x60
+[ 12.730953] ? __netif_receive_skb+0x1d/0x60
+[ 12.731637] netif_receive_skb_internal+0x37/0xd0
+[ 12.732371] napi_gro_receive+0xc7/0xf0
+[ 12.732920] receive_buf+0x3c3/0xd40
+[ 12.733441] virtnet_poll+0xb1/0x250
+[ 12.733944] net_rx_action+0x23e/0x370
+[ 12.734476] __do_softirq+0xc5/0x2f8
+[ 12.734922] irq_exit+0xfa/0x100
+[ 12.735315] do_IRQ+0x4f/0xd0
+[ 12.735680] common_interrupt+0xa2/0xa2
+[ 12.736126] </IRQ>
+[ 12.736416] RIP: 0010:native_safe_halt+0x6/0x10
+[ 12.736925] RSP: 0018:ffffa41cc0cafe90 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff4d
+[ 12.737756] RAX: 0000000000000000 RBX: ffff8c2a761edb80 RCX: 0000000000000000
+[ 12.738504] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 12.739258] RBP: ffffa41cc0cafe90 R08: 0000014b5b9795e5 R09: ffffa41cc12c7e88
+[ 12.740118] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
+[ 12.740964] R13: ffff8c2a761edb80 R14: 0000000000000000 R15: 0000000000000000
+[ 12.741831] default_idle+0x2a/0x100
+[ 12.742323] arch_cpu_idle+0xf/0x20
+[ 12.742796] default_idle_call+0x28/0x40
+[ 12.743312] do_idle+0x179/0x1f0
+[ 12.743761] cpu_startup_entry+0x1d/0x20
+[ 12.744291] start_secondary+0x112/0x120
+[ 12.744816] secondary_startup_64+0xa5/0xa5
+[ 12.745367] Code: b9 f4 01 00 00 48 89 c2 48 c1 ea 02 48 3d d3 07 00
+00 48 0f 47 d1 49 8b 0c 24 48 39 d1 76 07 49 89 14 24 48 89 d1 31 d2 48
+89 df <48> f7 f1 89 c6 e8 81 6e ff ff 5b 41 5c 5d c3 66 90 66 2e 0f 1f
+[ 12.747527] RIP: tipc_node_calculate_timer.isra.12+0x45/0x60 [tipc] RSP: ffff8c2a7fc838a0
+[ 12.748555] ---[ end trace 1399ab83390650fd ]---
+[ 12.749296] Kernel panic - not syncing: Fatal exception in interrupt
+[ 12.750123] Kernel Offset: 0x13200000 from 0xffffffff82000000
+(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 12.751215] Rebooting in 60 seconds..
+
+Fixes: c9b64d492b1f ("tipc: add replicast peer discovery")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/udp_media.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -371,10 +371,6 @@ static int tipc_udp_recv(struct sock *sk
+ goto rcu_out;
+ }
+
+- tipc_rcv(sock_net(sk), skb, b);
+- rcu_read_unlock();
+- return 0;
+-
+ rcu_out:
+ rcu_read_unlock();
+ out:
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Jon Maloy <jon.maloy@ericsson.com>
+Date: Mon, 4 Dec 2017 22:00:20 +0100
+Subject: tipc: fix memory leak in tipc_accept_from_sock()
+
+From: Jon Maloy <jon.maloy@ericsson.com>
+
+
+[ Upstream commit a7d5f107b4978e08eeab599ee7449af34d034053 ]
+
+When the function tipc_accept_from_sock() fails to create an instance of
+struct tipc_subscriber it omits to free the already created instance of
+struct tipc_conn instance before it returns.
+
+We fix that with this commit.
+
+Reported-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/server.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/server.c
++++ b/net/tipc/server.c
+@@ -313,6 +313,7 @@ static int tipc_accept_from_sock(struct
+ newcon->usr_data = s->tipc_conn_new(newcon->conid);
+ if (!newcon->usr_data) {
+ sock_release(newsock);
++ conn_put(newcon);
+ return -ENOMEM;
+ }
+
--- /dev/null
+From foo@baz Thu Dec 14 11:45:58 CET 2017
+From: Bjørn Mork <bjorn@mork.no>
+Date: Wed, 6 Dec 2017 20:21:24 +0100
+Subject: usbnet: fix alignment for frames with no ethernet header
+
+From: Bjørn Mork <bjorn@mork.no>
+
+
+[ Upstream commit a4abd7a80addb4a9547f7dfc7812566b60ec505c ]
+
+The qmi_wwan minidriver support a 'raw-ip' mode where frames are
+received without any ethernet header. This causes alignment issues
+because the skbs allocated by usbnet are "IP aligned".
+
+Fix by allowing minidrivers to disable the additional alignment
+offset. This is implemented using a per-device flag, since the same
+minidriver also supports 'ethernet' mode.
+
+Fixes: 32f7adf633b9 ("net: qmi_wwan: support "raw IP" mode")
+Reported-and-tested-by: Jay Foster <jay@systech.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 ++
+ drivers/net/usb/usbnet.c | 5 ++++-
+ include/linux/usb/usbnet.h | 1 +
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -74,9 +74,11 @@ static void qmi_wwan_netdev_setup(struct
+ net->hard_header_len = 0;
+ net->addr_len = 0;
+ net->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
++ set_bit(EVENT_NO_IP_ALIGN, &dev->flags);
+ netdev_dbg(net, "mode: raw IP\n");
+ } else if (!net->header_ops) { /* don't bother if already set */
+ ether_setup(net);
++ clear_bit(EVENT_NO_IP_ALIGN, &dev->flags);
+ netdev_dbg(net, "mode: Ethernet\n");
+ }
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -485,7 +485,10 @@ static int rx_submit (struct usbnet *dev
+ return -ENOLINK;
+ }
+
+- skb = __netdev_alloc_skb_ip_align(dev->net, size, flags);
++ if (test_bit(EVENT_NO_IP_ALIGN, &dev->flags))
++ skb = __netdev_alloc_skb(dev->net, size, flags);
++ else
++ skb = __netdev_alloc_skb_ip_align(dev->net, size, flags);
+ if (!skb) {
+ netif_dbg(dev, rx_err, dev->net, "no rx skb\n");
+ usbnet_defer_kevent (dev, EVENT_RX_MEMORY);
+--- a/include/linux/usb/usbnet.h
++++ b/include/linux/usb/usbnet.h
+@@ -79,6 +79,7 @@ struct usbnet {
+ # define EVENT_RX_KILL 10
+ # define EVENT_LINK_CHANGE 11
+ # define EVENT_SET_RX_MODE 12
++# define EVENT_NO_IP_ALIGN 13
+ };
+
+ static inline struct usb_driver *driver_of(struct usb_interface *intf)
projects / thirdparty / kernel / stable-queue.git / commitdiff
