Home Home > GIT Browse > openSUSE-15.1
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-05-16 09:00:16 +0200
committerTakashi Iwai <tiwai@suse.de>2019-05-16 09:00:16 +0200
commit99503d8cd1887f0497e6c5037cc1e504206de437 (patch)
treeca17aa74edbbc2acea810064353632d43e088550
parentb30d5bfbd150fdc1022d89b4d4595bf0220f6621 (diff)
parentdbe44699702d33a34417938f74a052bddc740208 (diff)
Merge branch 'users/jslaby/SLE15/for-next' into SLE15
Pull net fixes from Jiri Slaby
-rw-r--r--patches.suse/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch37
-rw-r--r--patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch45
-rw-r--r--patches.suse/net-aquantia-fix-rx-checksum-offload-for-UDP-TCP-ove.patch39
-rw-r--r--patches.suse/net-rose-fix-a-possible-stack-overflow.patch129
-rw-r--r--patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch62
-rw-r--r--patches.suse/packets-Always-register-packet-sk-in-the-same-order.patch69
-rw-r--r--patches.suse/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch38
-rw-r--r--patches.suse/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch43
-rw-r--r--patches.suse/thunderx-eliminate-extra-calls-to-put_page-for-pages.patch62
-rw-r--r--patches.suse/thunderx-enable-page-recycling-for-non-XDP-case.patch62
-rw-r--r--patches.suse/tun-add-a-missing-rcu_read_unlock-in-error-path.patch29
-rw-r--r--patches.suse/tun-properly-test-for-IFF_UP.patch80
-rw-r--r--patches.suse/vxlan-Don-t-call-gro_cells_destroy-before-device-is-.patch45
-rw-r--r--series.conf13
14 files changed, 753 insertions, 0 deletions
diff --git a/patches.suse/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch b/patches.suse/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch
new file mode 100644
index 0000000000..1affb168a2
--- /dev/null
+++ b/patches.suse/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch
@@ -0,0 +1,37 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 19 Mar 2019 05:46:18 -0700
+Subject: dccp: do not use ipv6 header for ipv4 flow
+Git-commit: e0aa67709f89d08c8d8e5bdd9e0b649df61d0090
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+When a dual stack dccp listener accepts an ipv4 flow,
+it should not attempt to use an ipv6 header or
+inet6_iif() helper.
+
+Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/dccp/ipv6.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index d5740bad5b18..57d84e9b7b6f 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -436,8 +436,8 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
+ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
+- newnp->mcast_oif = inet6_iif(skb);
+- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
++ newnp->mcast_oif = inet_iif(skb);
++ newnp->mcast_hops = ip_hdr(skb)->ttl;
+
+ /*
+ * No need to charge this sock to the relevant IPv6 refcnt debug socks count
+--
+2.21.0
+
diff --git a/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch b/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
new file mode 100644
index 0000000000..0df45b8fe5
--- /dev/null
+++ b/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
@@ -0,0 +1,45 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 21 Mar 2019 15:02:50 +0800
+Subject: genetlink: Fix a memory leak on error path
+Git-commit: ceabee6c59943bdd5e1da1a6a20dc7ee5f8113a2
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+In genl_register_family(), when idr_alloc() fails,
+we forget to free the memory we possibly allocate for
+family->attrbuf.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 2ae0f17df1cd ("genetlink: use idr to track families")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/netlink/genetlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
+index 25eeb6d2a75a..f0ec068e1d02 100644
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -366,7 +366,7 @@ int genl_register_family(struct genl_family *family)
+ start, end + 1, GFP_KERNEL);
+ if (family->id < 0) {
+ err = family->id;
+- goto errout_locked;
++ goto errout_free;
+ }
+
+ err = genl_validate_assign_mc_groups(family);
+@@ -385,6 +385,7 @@ int genl_register_family(struct genl_family *family)
+
+ errout_remove:
+ idr_remove(&genl_fam_idr, family->id);
++errout_free:
+ kfree(family->attrbuf);
+ errout_locked:
+ genl_unlock_all();
+--
+2.21.0
+
diff --git a/patches.suse/net-aquantia-fix-rx-checksum-offload-for-UDP-TCP-ove.patch b/patches.suse/net-aquantia-fix-rx-checksum-offload-for-UDP-TCP-ove.patch
new file mode 100644
index 0000000000..628a6af5e2
--- /dev/null
+++ b/patches.suse/net-aquantia-fix-rx-checksum-offload-for-UDP-TCP-ove.patch
@@ -0,0 +1,39 @@
+From: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
+Date: Sat, 16 Mar 2019 08:28:18 +0000
+Subject: net: aquantia: fix rx checksum offload for UDP/TCP over IPv6
+Git-commit: a7faaa0c5dc7d091cc9f72b870d7edcdd6f43f12
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+TCP/UDP checksum validity was propagated to skb
+only if IP checksum is valid.
+But for IPv6 there is no validity as there is no checksum in IPv6.
+This patch propagates TCP/UDP checksum validity regardless of IP checksum.
+
+Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
+Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
+Signed-off-by: Nikita Danilov <nikita.danilov@aquantia.com>
+Signed-off-by: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+@@ -231,11 +231,12 @@ int aq_ring_rx_clean(struct aq_ring_s *s
+ } else {
+ if (buff->is_ip_cso) {
+ __skb_incr_checksum_unnecessary(skb);
+- if (buff->is_udp_cso || buff->is_tcp_cso)
+- __skb_incr_checksum_unnecessary(skb);
+ } else {
+ skb->ip_summed = CHECKSUM_NONE;
+ }
++
++ if (buff->is_udp_cso || buff->is_tcp_cso)
++ __skb_incr_checksum_unnecessary(skb);
+ }
+
+ skb_set_hash(skb, buff->rss_hash,
diff --git a/patches.suse/net-rose-fix-a-possible-stack-overflow.patch b/patches.suse/net-rose-fix-a-possible-stack-overflow.patch
new file mode 100644
index 0000000000..ef02b355ce
--- /dev/null
+++ b/patches.suse/net-rose-fix-a-possible-stack-overflow.patch
@@ -0,0 +1,129 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 15 Mar 2019 10:41:14 -0700
+Subject: net: rose: fix a possible stack overflow
+Git-commit: e5dcc0c3223c45c94100f05f28d8ef814db3d82c
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+rose_write_internal() uses a temp buffer of 100 bytes, but a manual
+inspection showed that given arbitrary input, rose_create_facilities()
+can fill up to 110 bytes.
+
+Lets use a tailroom of 256 bytes for peace of mind, and remove
+the bounce buffer : we can simply allocate a big enough skb
+and adjust its length as needed.
+
+syzbot report :
+
+BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:352 [inline]
+BUG: KASAN: stack-out-of-bounds in rose_create_facilities net/rose/rose_subr.c:521 [inline]
+BUG: KASAN: stack-out-of-bounds in rose_write_internal+0x597/0x15d0 net/rose/rose_subr.c:116
+Write of size 7 at addr ffff88808b1ffbef by task syz-executor.0/24854
+
+CPU: 0 PID: 24854 Comm: syz-executor.0 Not tainted 5.0.0+ #97
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
+ kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
+ check_memory_region_inline mm/kasan/generic.c:185 [inline]
+ check_memory_region+0x123/0x190 mm/kasan/generic.c:191
+ memcpy+0x38/0x50 mm/kasan/common.c:131
+ memcpy include/linux/string.h:352 [inline]
+ rose_create_facilities net/rose/rose_subr.c:521 [inline]
+ rose_write_internal+0x597/0x15d0 net/rose/rose_subr.c:116
+ rose_connect+0x7cb/0x1510 net/rose/af_rose.c:826
+ __sys_connect+0x266/0x330 net/socket.c:1685
+ __do_sys_connect net/socket.c:1696 [inline]
+ __se_sys_connect net/socket.c:1693 [inline]
+ __x64_sys_connect+0x73/0xb0 net/socket.c:1693
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x458079
+Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f47b8d9dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458079
+RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000004
+RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f47b8d9e6d4
+R13: 00000000004be4a4 R14: 00000000004ceca8 R15: 00000000ffffffff
+
+The buggy address belongs to the page:
+page:ffffea00022c7fc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x1fffc0000000000()
+raw: 01fffc0000000000 0000000000000000 ffffffff022c0101 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88808b1ffa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88808b1ffb00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 03
+>ffff88808b1ffb80: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 04 f3
+ ^
+ ffff88808b1ffc00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88808b1ffc80: 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 01
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/rose/rose_subr.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/rose/rose_subr.c
++++ b/net/rose/rose_subr.c
+@@ -105,16 +105,17 @@ void rose_write_internal(struct sock *sk
+ struct sk_buff *skb;
+ unsigned char *dptr;
+ unsigned char lci1, lci2;
+- char buffer[100];
+- int len, faclen = 0;
++ int maxfaclen = 0;
++ int len, faclen;
++ int reserve;
+
+- len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 1;
++ reserve = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1;
++ len = ROSE_MIN_LEN;
+
+ switch (frametype) {
+ case ROSE_CALL_REQUEST:
+ len += 1 + ROSE_ADDR_LEN + ROSE_ADDR_LEN;
+- faclen = rose_create_facilities(buffer, rose);
+- len += faclen;
++ maxfaclen = 256;
+ break;
+ case ROSE_CALL_ACCEPTED:
+ case ROSE_CLEAR_REQUEST:
+@@ -123,15 +124,16 @@ void rose_write_internal(struct sock *sk
+ break;
+ }
+
+- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL)
++ skb = alloc_skb(reserve + len + maxfaclen, GFP_ATOMIC);
++ if (!skb)
+ return;
+
+ /*
+ * Space for AX.25 header and PID.
+ */
+- skb_reserve(skb, AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1);
++ skb_reserve(skb, reserve);
+
+- dptr = skb_put(skb, skb_tailroom(skb));
++ dptr = skb_put(skb, len);
+
+ lci1 = (rose->lci >> 8) & 0x0F;
+ lci2 = (rose->lci >> 0) & 0xFF;
+@@ -146,7 +148,8 @@ void rose_write_internal(struct sock *sk
+ dptr += ROSE_ADDR_LEN;
+ memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);
+ dptr += ROSE_ADDR_LEN;
+- memcpy(dptr, buffer, faclen);
++ faclen = rose_create_facilities(dptr, rose);
++ skb_put(skb, faclen);
+ dptr += faclen;
+ break;
+
diff --git a/patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch b/patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch
new file mode 100644
index 0000000000..7d35824b58
--- /dev/null
+++ b/patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch
@@ -0,0 +1,62 @@
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Mon, 18 Mar 2019 23:36:08 +0200
+Subject: net: stmmac: fix memory corruption with large MTUs
+Git-commit: 223a960c01227e4dbcb6f9fa06b47d73bda21274
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+When using 16K DMA buffers and ring mode, the DES3 refill is not working
+correctly as the function is using a bogus pointer for checking the
+private data. As a result stale pointers will remain in the RX descriptor
+ring, so DMA will now likely overwrite/corrupt some already freed memory.
+
+As simple reproducer, just receive some UDP traffic:
+
+ # ifconfig eth0 down; ifconfig eth0 mtu 9000; ifconfig eth0 up
+ # iperf3 -c 192.168.253.40 -u -b 0 -R
+
+If you didn't crash by now check the RX descriptors to find non-contiguous
+RX buffers:
+
+ cat /sys/kernel/debug/stmmaceth/eth0/descriptors_status
+ [...]
+ 1 [0x2be5020]: 0xa3220321 0x9ffc1ffc 0x72d70082 0x130e207e
+ ^^^^^^^^^^^^^^^^^^^^^
+ 2 [0x2be5040]: 0xa3220321 0x9ffc1ffc 0x72998082 0x1311a07e
+ ^^^^^^^^^^^^^^^^^^^^^
+
+A simple ping test will now report bad data:
+
+ # ping -s 8200 192.168.253.40
+ PING 192.168.253.40 (192.168.253.40) 8200(8228) bytes of data.
+ 8208 bytes from 192.168.253.40: icmp_seq=1 ttl=64 time=1.00 ms
+ wrong data byte #8144 should be 0xd0 but was 0x88
+
+Fix the wrong pointer. Also we must refill DES3 only if the DMA buffer
+size is 16K.
+
+Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Acked-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+@@ -114,10 +114,11 @@ static unsigned int stmmac_is_jumbo_frm(
+
+ static void stmmac_refill_desc3(void *priv_ptr, struct dma_desc *p)
+ {
+- struct stmmac_priv *priv = (struct stmmac_priv *)priv_ptr;
++ struct stmmac_rx_queue *rx_q = priv_ptr;
++ struct stmmac_priv *priv = rx_q->priv_data;
+
+ /* Fill DES3 in case of RING mode */
+- if (priv->dma_buf_sz >= BUF_SIZE_8KiB)
++ if (priv->dma_buf_sz == BUF_SIZE_16KiB)
+ p->des3 = cpu_to_le32(le32_to_cpu(p->des2) + BUF_SIZE_8KiB);
+ }
+
diff --git a/patches.suse/packets-Always-register-packet-sk-in-the-same-order.patch b/patches.suse/packets-Always-register-packet-sk-in-the-same-order.patch
new file mode 100644
index 0000000000..458c4bbc7b
--- /dev/null
+++ b/patches.suse/packets-Always-register-packet-sk-in-the-same-order.patch
@@ -0,0 +1,69 @@
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Sat, 16 Mar 2019 14:41:30 +0100
+Subject: packets: Always register packet sk in the same order
+Git-commit: a4dc6a49156b1f8d6e17251ffda17c9e6a5db78a
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+When using fanouts with AF_PACKET, the demux functions such as
+fanout_demux_cpu will return an index in the fanout socket array, which
+corresponds to the selected socket.
+
+The ordering of this array depends on the order the sockets were added
+to a given fanout group, so for FANOUT_CPU this means sockets are bound
+to cpus in the order they are configured, which is OK.
+
+However, when stopping then restarting the interface these sockets are
+bound to, the sockets are reassigned to the fanout group in the reverse
+order, due to the fact that they were inserted at the head of the
+interface's AF_PACKET socket list.
+
+This means that traffic that was directed to the first socket in the
+fanout group is now directed to the last one after an interface restart.
+
+In the case of FANOUT_CPU, traffic from CPU0 will be directed to the
+socket that used to receive traffic from the last CPU after an interface
+restart.
+
+This commit introduces a helper to add a socket at the tail of a list,
+then uses it to register AF_PACKET sockets.
+
+Note that this changes the order in which sockets are listed in /proc and
+with sock_diag.
+
+Fixes: dc99f600698d ("packet: Add fanout support")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/sock.h | 6 ++++++
+ net/packet/af_packet.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -677,6 +677,12 @@ static inline void sk_add_node_rcu(struc
+ hlist_add_head_rcu(&sk->sk_node, list);
+ }
+
++static inline void sk_add_node_tail_rcu(struct sock *sk, struct hlist_head *list)
++{
++ sock_hold(sk);
++ hlist_add_tail_rcu(&sk->sk_node, list);
++}
++
+ static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list)
+ {
+ hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list);
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3282,7 +3282,7 @@ static int packet_create(struct net *net
+ }
+
+ mutex_lock(&net->packet.sklist_lock);
+- sk_add_node_rcu(sk, &net->packet.sklist);
++ sk_add_node_tail_rcu(sk, &net->packet.sklist);
+ mutex_unlock(&net->packet.sklist_lock);
+
+ preempt_disable();
diff --git a/patches.suse/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch b/patches.suse/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch
new file mode 100644
index 0000000000..3e8c3e1b9b
--- /dev/null
+++ b/patches.suse/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch
@@ -0,0 +1,38 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 18 Mar 2019 19:47:00 +0800
+Subject: sctp: get sctphdr by offset in sctp_compute_cksum
+Git-commit: 273160ffc6b993c7c91627f5a84799c66dfe4dee
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+sctp_hdr(skb) only works when skb->transport_header is set properly.
+
+But in Netfilter, skb->transport_header for ipv6 is not guaranteed
+to be right value for sctphdr. It would cause to fail to check the
+checksum for sctp packets.
+
+So fix it by using offset, which is always right in all places.
+
+v1->v2:
+ - Fix the changelog.
+
+Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/sctp/checksum.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/sctp/checksum.h
++++ b/include/net/sctp/checksum.h
+@@ -60,7 +60,7 @@ static inline __wsum sctp_csum_combine(_
+ static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
+ unsigned int offset)
+ {
+- struct sctphdr *sh = sctp_hdr(skb);
++ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset);
+ __le32 ret, old = sh->checksum;
+ const struct skb_checksum_ops ops = {
+ .update = sctp_csum_update,
diff --git a/patches.suse/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch b/patches.suse/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch
new file mode 100644
index 0000000000..5905124295
--- /dev/null
+++ b/patches.suse/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch
@@ -0,0 +1,43 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 19 Mar 2019 05:45:35 -0700
+Subject: tcp: do not use ipv6 header for ipv4 flow
+Git-commit: 89e4130939a20304f4059ab72179da81f5347528
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+When a dual stack tcp listener accepts an ipv4 flow,
+it should not attempt to use an ipv6 header or tcp_v6_iif() helper.
+
+Fixes: 1397ed35f22d ("ipv6: add flowinfo for tcp6 pkt_options for all cases")
+Fixes: df3687ffc665 ("ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/tcp_ipv6.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 57ef69a10889..44d431849d39 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1110,11 +1110,11 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+ newnp->ipv6_fl_list = NULL;
+ newnp->pktoptions = NULL;
+ newnp->opt = NULL;
+- newnp->mcast_oif = tcp_v6_iif(skb);
+- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
+- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
++ newnp->mcast_oif = inet_iif(skb);
++ newnp->mcast_hops = ip_hdr(skb)->ttl;
++ newnp->rcv_flowinfo = 0;
+ if (np->repflow)
+- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
++ newnp->flow_label = 0;
+
+ /*
+ * No need to charge this sock to the relevant IPv6 refcnt debug socks count
+--
+2.21.0
+
diff --git a/patches.suse/thunderx-eliminate-extra-calls-to-put_page-for-pages.patch b/patches.suse/thunderx-eliminate-extra-calls-to-put_page-for-pages.patch
new file mode 100644
index 0000000000..b0a1ab4525
--- /dev/null
+++ b/patches.suse/thunderx-eliminate-extra-calls-to-put_page-for-pages.patch
@@ -0,0 +1,62 @@
+From: Dean Nelson <dnelson@redhat.com>
+Date: Tue, 26 Mar 2019 11:53:26 -0400
+Subject: thunderx: eliminate extra calls to put_page() for pages held for
+ recycling
+Git-commit: cd35ef91490ad8049dd180bb060aff7ee192eda9
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_03_28
+
+For the non-XDP case, commit 773225388dae15e72790 ("net: thunderx: Optimize
+page recycling for XDP") added code to nicvf_free_rbdr() that, when releasing
+the additional receive buffer page reference held for recycling, repeatedly
+calls put_page() until the page's _refcount goes to zero. Which results in
+the page being freed.
+
+This is not okay if the page's _refcount was greater than 1 (in the non-XDP
+case), because nicvf_free_rbdr() should not be subtracting more than what
+nicvf_alloc_page() had previously added to the page's _refcount, which was
+only 1 (in the non-XDP case).
+
+This can arise if a received packet is still being processed and the receive
+buffer (i.e., skb->head) has not yet been freed via skb_free_head() when
+nicvf_free_rbdr() is spinning through the aforementioned put_page() loop.
+
+If this should occur, when the received packet finishes processing and
+skb_free_head() is called, various problems can ensue. Exactly what, depends on
+whether the page has already been reallocated or not, anything from "BUG: Bad
+page state ... ", to "Unable to handle kernel NULL pointer dereference ..." or
+"Unable to handle kernel paging request...".
+
+So this patch changes nicvf_free_rbdr() to only call put_page() once for pages
+held for recycling (in the non-XDP case).
+
+Fixes: 773225388dae ("net: thunderx: Optimize page recycling for XDP")
+Signed-off-by: Dean Nelson <dnelson@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+index 55dbf02c42af..e246f9733bb8 100644
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+@@ -364,11 +364,10 @@ static void nicvf_free_rbdr(struct nicvf *nic, struct rbdr *rbdr)
+ while (head < rbdr->pgcnt) {
+ pgcache = &rbdr->pgcache[head];
+ if (pgcache->page && page_ref_count(pgcache->page) != 0) {
+- if (!rbdr->is_xdp) {
+- put_page(pgcache->page);
+- continue;
++ if (rbdr->is_xdp) {
++ page_ref_sub(pgcache->page,
++ pgcache->ref_count - 1);
+ }
+- page_ref_sub(pgcache->page, pgcache->ref_count - 1);
+ put_page(pgcache->page);
+ }
+ head++;
+--
+2.21.0
+
diff --git a/patches.suse/thunderx-enable-page-recycling-for-non-XDP-case.patch b/patches.suse/thunderx-enable-page-recycling-for-non-XDP-case.patch
new file mode 100644
index 0000000000..c3f6240220
--- /dev/null
+++ b/patches.suse/thunderx-enable-page-recycling-for-non-XDP-case.patch
@@ -0,0 +1,62 @@
+From: Dean Nelson <dnelson@redhat.com>
+Date: Tue, 26 Mar 2019 11:53:19 -0400
+Subject: thunderx: enable page recycling for non-XDP case
+Git-commit: b3e208069477588c06f4d5d986164b435bb06e6d
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_03_28
+
+Commit 773225388dae15e72790 ("net: thunderx: Optimize page recycling for XDP")
+added code to nicvf_alloc_page() that inadvertently disables receive buffer
+page recycling for the non-XDP case by always NULL'ng the page pointer.
+
+This patch corrects two if-conditionals to allow for the recycling of non-XDP
+mode pages by only setting the page pointer to NULL when the page is not ready
+for recycling.
+
+Fixes: 773225388dae ("net: thunderx: Optimize page recycling for XDP")
+Signed-off-by: Dean Nelson <dnelson@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../ethernet/cavium/thunder/nicvf_queues.c | 23 +++++++++----------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+index 5b4d3badcb73..55dbf02c42af 100644
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+@@ -105,20 +105,19 @@ static inline struct pgcache *nicvf_alloc_page(struct nicvf *nic,
+ /* Check if page can be recycled */
+ if (page) {
+ ref_count = page_ref_count(page);
+- /* Check if this page has been used once i.e 'put_page'
+- * called after packet transmission i.e internal ref_count
+- * and page's ref_count are equal i.e page can be recycled.
++ /* This page can be recycled if internal ref_count and page's
++ * ref_count are equal, indicating that the page has been used
++ * once for packet transmission. For non-XDP mode, internal
++ * ref_count is always '1'.
+ */
+- if (rbdr->is_xdp && (ref_count == pgcache->ref_count))
+- pgcache->ref_count--;
+- else
+- page = NULL;
+-
+- /* In non-XDP mode, page's ref_count needs to be '1' for it
+- * to be recycled.
+- */
+- if (!rbdr->is_xdp && (ref_count != 1))
++ if (rbdr->is_xdp) {
++ if (ref_count == pgcache->ref_count)
++ pgcache->ref_count--;
++ else
++ page = NULL;
++ } else if (ref_count != 1) {
+ page = NULL;
++ }
+ }
+
+ if (!page) {
+--
+2.21.0
+
diff --git a/patches.suse/tun-add-a-missing-rcu_read_unlock-in-error-path.patch b/patches.suse/tun-add-a-missing-rcu_read_unlock-in-error-path.patch
new file mode 100644
index 0000000000..915d0e431c
--- /dev/null
+++ b/patches.suse/tun-add-a-missing-rcu_read_unlock-in-error-path.patch
@@ -0,0 +1,29 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 16 Mar 2019 13:09:53 -0700
+Subject: tun: add a missing rcu_read_unlock() in error path
+Git-commit: 9180bb4f046064dfa4541488102703b402bb04e1
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+In my latest patch I missed one rcu_read_unlock(), in case
+device is down.
+
+Fixes: 4477138fa0ae ("tun: properly test for IFF_UP")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/tun.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1353,6 +1353,7 @@ drop:
+ rcu_read_lock();
+ if (unlikely(!(tun->dev->flags & IFF_UP))) {
+ err = -EIO;
++ rcu_read_unlock();
+ goto drop;
+ }
+
diff --git a/patches.suse/tun-properly-test-for-IFF_UP.patch b/patches.suse/tun-properly-test-for-IFF_UP.patch
new file mode 100644
index 0000000000..c5aa0c9610
--- /dev/null
+++ b/patches.suse/tun-properly-test-for-IFF_UP.patch
@@ -0,0 +1,80 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 14 Mar 2019 20:19:47 -0700
+Subject: tun: properly test for IFF_UP
+Git-commit: 4477138fa0ae4e1b699786ef0600863ea6e6c61c
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+Same reasons than the ones explained in commit 4179cb5a4c92
+("vxlan: test dev->flags & IFF_UP before calling netif_rx()")
+
+netif_rx_ni() or napi_gro_frags() must be called under a strict contract.
+
+At device dismantle phase, core networking clears IFF_UP
+and flush_all_backlogs() is called after rcu grace period
+to make sure no incoming packet might be in a cpu backlog
+and still referencing the device.
+
+A similar protocol is used for gro layer.
+
+Most drivers call netif_rx() from their interrupt handler,
+and since the interrupts are disabled at device dismantle,
+netif_rx() does not have to check dev->flags & IFF_UP
+
+Virtual drivers do not have this guarantee, and must
+therefore make the check themselves.
+
+Fixes: 1bd4978a88ac ("tun: honor IFF_UP in tun_get_user()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/tun.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1220,9 +1220,6 @@ static ssize_t tun_get_user(struct tun_s
+ int err;
+ u32 rxhash;
+
+- if (!(tun->dev->flags & IFF_UP))
+- return -EIO;
+-
+ if (!(tun->flags & IFF_NO_PI)) {
+ if (len < sizeof(pi))
+ return -EINVAL;
+@@ -1297,9 +1294,11 @@ static ssize_t tun_get_user(struct tun_s
+ err = skb_copy_datagram_from_iter(skb, 0, from, len);
+
+ if (err) {
++ err = -EFAULT;
++drop:
+ this_cpu_inc(tun->pcpu_stats->rx_dropped);
+ kfree_skb(skb);
+- return -EFAULT;
++ return err;
+ }
+
+ if (virtio_net_hdr_to_skb(skb, &gso, tun_is_little_endian(tun))) {
+@@ -1350,11 +1349,19 @@ static ssize_t tun_get_user(struct tun_s
+ skb_probe_transport_header(skb, 0);
+
+ rxhash = skb_get_hash(skb);
++
++ rcu_read_lock();
++ if (unlikely(!(tun->dev->flags & IFF_UP))) {
++ err = -EIO;
++ goto drop;
++ }
++
+ #ifndef CONFIG_4KSTACKS
+ tun_rx_batched(tun, tfile, skb, more);
+ #else
+ netif_rx_ni(skb);
+ #endif
++ rcu_read_unlock();
+
+ stats = get_cpu_ptr(tun->pcpu_stats);
+ u64_stats_update_begin(&stats->syncp);
diff --git a/patches.suse/vxlan-Don-t-call-gro_cells_destroy-before-device-is-.patch b/patches.suse/vxlan-Don-t-call-gro_cells_destroy-before-device-is-.patch
new file mode 100644
index 0000000000..a98a44811f
--- /dev/null
+++ b/patches.suse/vxlan-Don-t-call-gro_cells_destroy-before-device-is-.patch
@@ -0,0 +1,45 @@
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sat, 16 Mar 2019 17:02:54 +0800
+Subject: vxlan: Don't call gro_cells_destroy() before device is unregistered
+Git-commit: cc4807bb609230d8959fd732b0bf3bd4c2de8eac
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+Commit ad6c9986bcb62 ("vxlan: Fix GRO cells race condition between
+receive and link delete") fixed a race condition for the typical case a vxlan
+device is dismantled from the current netns. But if a netns is dismantled,
+vxlan_destroy_tunnels() is called to schedule a unregister_netdevice_queue()
+of all the vxlan tunnels that are related to this netns.
+
+In vxlan_destroy_tunnels(), gro_cells_destroy() is called and finished before
+unregister_netdevice_queue(). This means that the gro_cells_destroy() call is
+done too soon, for the same reasons explained in above commit.
+
+So we need to fully respect the RCU rules, and thus must remove the
+gro_cells_destroy() call or risk use after-free.
+
+Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer")
+Signed-off-by: Suanming.Mou <mousuanming@huawei.com>
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/vxlan.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -3645,10 +3645,8 @@ static void __net_exit vxlan_exit_net(st
+ /* If vxlan->dev is in the same netns, it has already been added
+ * to the list by the previous loop.
+ */
+- if (!net_eq(dev_net(vxlan->dev), net)) {
+- gro_cells_destroy(&vxlan->gro_cells);
++ if (!net_eq(dev_net(vxlan->dev), net))
+ unregister_netdevice_queue(vxlan->dev, &list);
+- }
+ }
+
+ unregister_netdevice_many(&list);
diff --git a/series.conf b/series.conf
index 4186544fae..a1e478a1f4 100644
--- a/series.conf
+++ b/series.conf
@@ -21578,8 +21578,19 @@
patches.fixes/NFS-fix-mount-umount-race-in-nlmclnt.patch
patches.fixes/NFSv4.1-don-t-free-interrupted-slot-on-open.patch
patches.fixes/NFS-Fix-a-typo-in-nfs_init_timeout_values.patch
+ patches.suse/tun-properly-test-for-IFF_UP.patch
+ patches.suse/tun-add-a-missing-rcu_read_unlock-in-error-path.patch
+ patches.suse/net-rose-fix-a-possible-stack-overflow.patch
+ patches.suse/net-aquantia-fix-rx-checksum-offload-for-UDP-TCP-ove.patch
+ patches.suse/vxlan-Don-t-call-gro_cells_destroy-before-device-is-.patch
+ patches.suse/packets-Always-register-packet-sk-in-the-same-order.patch
+ patches.suse/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch
patches.drivers/mISDN-hfcpci-Test-both-vendor-device-ID-for-Digium-H.patch
+ patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch
+ patches.suse/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch
+ patches.suse/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch
patches.suse/net-packet-Set-__GFP_NOWARN-upon-allocation-in-alloc.patch
+ patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
patches.fixes/0001-netfilter-bridge-set-skb-transport_header-before-ent.patch
patches.fixes/rhashtable-Still-do-rehash-when-we-get-EEXIST.patch
patches.fixes/bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch
@@ -21648,6 +21659,8 @@
patches.drivers/HID-debug-fix-race-condition-with-between-rdesc_show.patch
patches.drivers/HID-input-add-mapping-for-Assistant-key.patch
patches.fixes/0001-net-datagram-fix-unbounded-loop-in-__skb_try_recv_da.patch
+ patches.suse/thunderx-enable-page-recycling-for-non-XDP-case.patch
+ patches.suse/thunderx-eliminate-extra-calls-to-put_page-for-pages.patch
patches.fixes/batman-adv-Reduce-claim-hash-refcnt-only-for-removed.patch
patches.fixes/batman-adv-Reduce-tt_local-hash-refcnt-only-for-remo.patch
patches.fixes/batman-adv-Reduce-tt_global-hash-refcnt-only-for-rem.patch