commit 5d087e3578cf9cbd850a6f0a5c8b8169f22b5272
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Sep 26 18:03:16 2020 +0200

    Linux 5.4.68
    
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Link: https://lore.kernel.org/r/20200925124723.575329814@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 071f42defada1da666a95a53866f6efe4e335cc7
Author: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Date:   Thu Sep 3 09:38:22 2020 +0000

    iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE
    
    commit e52d58d54a321d4fe9d0ecdabe4f8774449f0d6e upstream.
    
    When using 128-bit interrupt-remapping table entry (IRTE) (a.k.a GA mode),
    current driver disables interrupt remapping when it updates the IRTE
    so that the upper and lower 64-bit values can be updated safely.
    
    However, this creates a small window, where the interrupt could
    arrive and result in IO_PAGE_FAULT (for interrupt) as shown below.
    
      IOMMU Driver            Device IRQ
      ============            ===========
      irte.RemapEn=0
           ...
       change IRTE            IRQ from device ==> IO_PAGE_FAULT !!
           ...
      irte.RemapEn=1
    
    This scenario has been observed when changing irq affinity on a system
    running I/O-intensive workload, in which the destination APIC ID
    in the IRTE is updated.
    
    Instead, use cmpxchg_double() to update the 128-bit IRTE at once without
    disabling the interrupt remapping. However, this means several features,
    which require GA (128-bit IRTE) support will also be affected if cmpxchg16b
    is not supported (which is unprecedented for AMD processors w/ IOMMU).
    
    Fixes: 880ac60e2538 ("iommu/amd: Introduce interrupt remapping ops structure")
    Reported-by: Sean Osborne <sean.m.osborne@oracle.com>
    Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
    Tested-by: Erik Rockstrom <erik.rockstrom@oracle.com>
    Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
    Link: https://lore.kernel.org/r/20200903093822.52012-3-suravee.suthikulpanit@amd.com
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a5bc1c7a9a6d64f2f76b43ffe2c644b40e063cfd
Author: Xunlei Pang <xlpang@linux.alibaba.com>
Date:   Fri Sep 4 16:35:27 2020 -0700

    mm: memcg: fix memcg reclaim soft lockup
    
    commit e3336cab2579012b1e72b5265adf98e2d6e244ad upstream.
    
    We've met softlockup with "CONFIG_PREEMPT_NONE=y", when the target memcg
    doesn't have any reclaimable memory.
    
    It can be easily reproduced as below:
    
      watchdog: BUG: soft lockup - CPU#0 stuck for 111s![memcg_test:2204]
      CPU: 0 PID: 2204 Comm: memcg_test Not tainted 5.9.0-rc2+ #12
      Call Trace:
        shrink_lruvec+0x49f/0x640
        shrink_node+0x2a6/0x6f0
        do_try_to_free_pages+0xe9/0x3e0
        try_to_free_mem_cgroup_pages+0xef/0x1f0
        try_charge+0x2c1/0x750
        mem_cgroup_charge+0xd7/0x240
        __add_to_page_cache_locked+0x2fd/0x370
        add_to_page_cache_lru+0x4a/0xc0
        pagecache_get_page+0x10b/0x2f0
        filemap_fault+0x661/0xad0
        ext4_filemap_fault+0x2c/0x40
        __do_fault+0x4d/0xf9
        handle_mm_fault+0x1080/0x1790
    
    It only happens on our 1-vcpu instances, because there's no chance for
    oom reaper to run to reclaim the to-be-killed process.
    
    Add a cond_resched() at the upper shrink_node_memcgs() to solve this
    issue, this will mean that we will get a scheduling point for each memcg
    in the reclaimed hierarchy without any dependency on the reclaimable
    memory in that memcg thus making it more predictable.
    
    Suggested-by: Michal Hocko <mhocko@suse.com>
    Signed-off-by: Xunlei Pang <xlpang@linux.alibaba.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Acked-by: Chris Down <chris@chrisdown.name>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Link: http://lkml.kernel.org/r/1598495549-67324-1-git-send-email-xlpang@linux.alibaba.com
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7f23aa7cabdd017e169ee18681a42182d0ae7259
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Sep 9 01:27:40 2020 -0700

    net: add __must_check to skb_put_padto()
    
    [ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ]
    
    skb_put_padto() and __skb_put_padto() callers
    must check return values or risk use-after-free.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0d5a7af160bd238878053c60e3299e69c9c6e7fa
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Sep 9 01:27:39 2020 -0700

    net: qrtr: check skb_put_padto() return value
    
    [ Upstream commit 3ca1a42a52ca4b4f02061683851692ad65fefac8 ]
    
    If skb_put_padto() returns an error, skb has been freed.
    Better not touch it anymore, as reported by syzbot [1]
    
    Note to qrtr maintainers : this suggests qrtr_sendmsg()
    should adjust sock_alloc_send_skb() second parameter
    to account for the potential added alignment to avoid
    reallocation.
    
    [1]
    
    BUG: KASAN: use-after-free in __skb_insert include/linux/skbuff.h:1907 [inline]
    BUG: KASAN: use-after-free in __skb_queue_before include/linux/skbuff.h:2016 [inline]
    BUG: KASAN: use-after-free in __skb_queue_tail include/linux/skbuff.h:2049 [inline]
    BUG: KASAN: use-after-free in skb_queue_tail+0x6b/0x120 net/core/skbuff.c:3146
    Write of size 8 at addr ffff88804d8ab3c0 by task syz-executor.4/4316
    
    CPU: 1 PID: 4316 Comm: syz-executor.4 Not tainted 5.9.0-rc4-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1d6/0x29e lib/dump_stack.c:118
     print_address_description+0x66/0x620 mm/kasan/report.c:383
     __kasan_report mm/kasan/report.c:513 [inline]
     kasan_report+0x132/0x1d0 mm/kasan/report.c:530
     __skb_insert include/linux/skbuff.h:1907 [inline]
     __skb_queue_before include/linux/skbuff.h:2016 [inline]
     __skb_queue_tail include/linux/skbuff.h:2049 [inline]
     skb_queue_tail+0x6b/0x120 net/core/skbuff.c:3146
     qrtr_tun_send+0x1a/0x40 net/qrtr/tun.c:23
     qrtr_node_enqueue+0x44f/0xc00 net/qrtr/qrtr.c:364
     qrtr_bcast_enqueue+0xbe/0x140 net/qrtr/qrtr.c:861
     qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960
     sock_sendmsg_nosec net/socket.c:651 [inline]
     sock_sendmsg net/socket.c:671 [inline]
     sock_write_iter+0x317/0x470 net/socket.c:998
     call_write_iter include/linux/fs.h:1882 [inline]
     new_sync_write fs/read_write.c:503 [inline]
     vfs_write+0xa96/0xd10 fs/read_write.c:578
     ksys_write+0x11b/0x220 fs/read_write.c:631
     do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x45d5b9
    Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007f84b5b81c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
    RAX: ffffffffffffffda RBX: 0000000000038b40 RCX: 000000000045d5b9
    RDX: 0000000000000055 RSI: 0000000020001240 RDI: 0000000000000003
    RBP: 00007f84b5b81ca0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000f
    R13: 00007ffcbbf86daf R14: 00007f84b5b829c0 R15: 000000000118cf4c
    
    Allocated by task 4316:
     kasan_save_stack mm/kasan/common.c:48 [inline]
     kasan_set_track mm/kasan/common.c:56 [inline]
     __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
     slab_post_alloc_hook+0x3e/0x290 mm/slab.h:518
     slab_alloc mm/slab.c:3312 [inline]
     kmem_cache_alloc+0x1c1/0x2d0 mm/slab.c:3482
     skb_clone+0x1b2/0x370 net/core/skbuff.c:1449
     qrtr_bcast_enqueue+0x6d/0x140 net/qrtr/qrtr.c:857
     qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960
     sock_sendmsg_nosec net/socket.c:651 [inline]
     sock_sendmsg net/socket.c:671 [inline]
     sock_write_iter+0x317/0x470 net/socket.c:998
     call_write_iter include/linux/fs.h:1882 [inline]
     new_sync_write fs/read_write.c:503 [inline]
     vfs_write+0xa96/0xd10 fs/read_write.c:578
     ksys_write+0x11b/0x220 fs/read_write.c:631
     do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Freed by task 4316:
     kasan_save_stack mm/kasan/common.c:48 [inline]
     kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
     kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
     __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
     __cache_free mm/slab.c:3418 [inline]
     kmem_cache_free+0x82/0xf0 mm/slab.c:3693
     __skb_pad+0x3f5/0x5a0 net/core/skbuff.c:1823
     __skb_put_padto include/linux/skbuff.h:3233 [inline]
     skb_put_padto include/linux/skbuff.h:3252 [inline]
     qrtr_node_enqueue+0x62f/0xc00 net/qrtr/qrtr.c:360
     qrtr_bcast_enqueue+0xbe/0x140 net/qrtr/qrtr.c:861
     qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960
     sock_sendmsg_nosec net/socket.c:651 [inline]
     sock_sendmsg net/socket.c:671 [inline]
     sock_write_iter+0x317/0x470 net/socket.c:998
     call_write_iter include/linux/fs.h:1882 [inline]
     new_sync_write fs/read_write.c:503 [inline]
     vfs_write+0xa96/0xd10 fs/read_write.c:578
     ksys_write+0x11b/0x220 fs/read_write.c:631
     do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    The buggy address belongs to the object at ffff88804d8ab3c0
     which belongs to the cache skbuff_head_cache of size 224
    The buggy address is located 0 bytes inside of
     224-byte region [ffff88804d8ab3c0, ffff88804d8ab4a0)
    The buggy address belongs to the page:
    page:00000000ea8cccfb refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804d8abb40 pfn:0x4d8ab
    flags: 0xfffe0000000200(slab)
    raw: 00fffe0000000200 ffffea0002237ec8 ffffea00029b3388 ffff88821bb66800
    raw: ffff88804d8abb40 ffff88804d8ab000 000000010000000b 0000000000000000
    page dumped because: kasan: bad access detected
    
    Fixes: ce57785bf91b ("net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Carl Huang <cjhuang@codeaurora.org>
    Cc: Wen Gong <wgong@codeaurora.org>
    Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
    Cc: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Acked-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e78590497f9627b8e2e9823ec5ed5be071a42baa
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Wed Sep 16 20:43:10 2020 -0700

    net: phy: Do not warn in phy_stop() on PHY_DOWN
    
    [ Upstream commit 5116a8ade333b6c2e180782139c9c516a437b21c ]
    
    When phy_is_started() was added to catch incorrect PHY states,
    phy_stop() would not be qualified against PHY_DOWN. It is possible to
    reach that state when the PHY driver has been unbound and the network
    device is then brought down.
    
    Fixes: 2b3e88ea6528 ("net: phy: improve phy state checking")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 94f2dc7ad055199e569979f24ef4d5a555d06065
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Wed Sep 16 20:43:09 2020 -0700

    net: phy: Avoid NPD upon phy_detach() when driver is unbound
    
    [ Upstream commit c2b727df7caa33876e7066bde090f40001b6d643 ]
    
    If we have unbound the PHY driver prior to calling phy_detach() (often
    via phy_disconnect()) then we can cause a NULL pointer de-reference
    accessing the driver owner member. The steps to reproduce are:
    
    echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind
    ip link set eth0 down
    
    Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8b62798220804c303ef624d2c591888d17b18b4c
Author: Hauke Mehrtens <hauke@hauke-m.de>
Date:   Sat Sep 12 21:36:29 2020 +0200

    net: lantiq: Disable IRQs only if NAPI gets scheduled
    
    [ Upstream commit 9423361da52356cb68642db5b2729b6b85aad330 ]
    
    The napi_schedule() call will only schedule the NAPI if it is not
    already running. To make sure that we do not deactivate interrupts
    without scheduling NAPI only deactivate the interrupts in case NAPI also
    gets scheduled.
    
    Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4c304ed93ad36ea02f4ab3bdb9d61c03f82a381d
Author: Hauke Mehrtens <hauke@hauke-m.de>
Date:   Sat Sep 12 21:36:28 2020 +0200

    net: lantiq: Use napi_complete_done()
    
    [ Upstream commit c582a7fea9dad4d309437d1a7e22e6d2cb380e2e ]
    
    Use napi_complete_done() and activate the interrupts when this function
    returns true. This way the generic NAPI code can take care of activating
    the interrupts.
    
    Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9efed2a32a86a754da512219cd7884de268dfefe
Author: Hauke Mehrtens <hauke@hauke-m.de>
Date:   Sat Sep 12 21:36:27 2020 +0200

    net: lantiq: use netif_tx_napi_add() for TX NAPI
    
    [ Upstream commit 74c7b80e222b58d3cea731d31e2a31a77fea8345 ]
    
    netif_tx_napi_add() should be used for NAPI in the TX direction instead
    of the netif_napi_add() function.
    
    Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 19dd093aa5b488d7a91080ca1251af6f0b727a98
Author: Hauke Mehrtens <hauke@hauke-m.de>
Date:   Sat Sep 12 21:36:26 2020 +0200

    net: lantiq: Wake TX queue again
    
    [ Upstream commit dea36631e6f186d4b853af67a4aef2e35cfa8bb7 ]
    
    The call to netif_wake_queue() when the TX descriptors were freed was
    missing. When there are no TX buffers available the TX queue will be
    stopped, but it was not started again when they are available again,
    this is fixed in this patch.
    
    Fixes: fe1a56420cf2 ("net: lantiq: Add Lantiq / Intel VRX200 Ethernet driver")
    Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 743fead4d9588b77b610a84c892d21de9626bfdb
Author: Michael Chan <michael.chan@broadcom.com>
Date:   Sun Sep 20 21:08:56 2020 -0400

    bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex.
    
    [ Upstream commit a53906908148d64423398a62c4435efb0d09652c ]
    
    All changes related to bp->link_info require the protection of the
    link_lock mutex.  It's not sufficient to rely just on RTNL.
    
    Fixes: 163e9ef63641 ("bnxt_en: Fix race when modifying pause settings.")
    Reviewed-by: Edwin Peer <edwin.peer@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e238cb110123241aa1d0f379e72a387522a8003d
Author: Edwin Peer <edwin.peer@broadcom.com>
Date:   Sun Sep 20 21:08:55 2020 -0400

    bnxt_en: return proper error codes in bnxt_show_temp
    
    [ Upstream commit d69753fa1ecb3218b56b022722f7a5822735b876 ]
    
    Returning "unknown" as a temperature value violates the hwmon interface
    rules. Appropriate error codes should be returned via device_attribute
    show instead. These will ultimately be propagated to the user via the
    file system interface.
    
    In addition to the corrected error handling, it is an even better idea to
    not present the sensor in sysfs at all if it is known that the read will
    definitely fail. Given that temp1_input is currently the only sensor
    reported, ensure no hwmon registration if TEMP_MONITOR_QUERY is not
    supported or if it will fail due to access permissions. Something smarter
    may be needed if and when other sensors are added.
    
    Fixes: 12cce90b934b ("bnxt_en: fix HWRM error when querying VF temperature")
    Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1ee92ea9a1fb4632a6b45d2fe8732b100e31e9e1
Author: Tariq Toukan <tariqt@mellanox.com>
Date:   Sun Jun 28 13:06:06 2020 +0300

    net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported
    
    [ Upstream commit 8f0bcd19b1da3f264223abea985b9462e85a3718 ]
    
    The set of TLS TX global SW counters in mlx5e_tls_sw_stats_desc
    is updated from all rings by using atomic ops.
    This set of stats is used only in the FPGA TLS use case, not in
    the Connect-X TLS one, where regular per-ring counters are used.
    
    Do not expose them in the Connect-X use case, as this would cause
    counter duplication. For example, tx_tls_drop_no_sync_data would
    appear twice in the ethtool stats.
    
    Fixes: d2ead1f360e8 ("net/mlx5e: Add kTLS TX HW offload support")
    Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
    Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5b609d8e5bebfb6238e6724e2c35463d06537fcd
Author: Maor Dickman <maord@mellanox.com>
Date:   Wed Aug 5 17:56:04 2020 +0300

    net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported
    
    [ Upstream commit 6cec0229ab1959259e71e9a5bbe47c04577950b1 ]
    
    The cited commit creates peer miss group during switchdev mode
    initialization in order to handle miss packets correctly while in VF
    LAG mode. This is done regardless of FW support of such groups which
    could cause rules setups failure later on.
    
    Fix by adding FW capability check before creating peer groups/rule.
    
    Fixes: ac004b832128 ("net/mlx5e: E-Switch, Add peer miss rules")
    Signed-off-by: Maor Dickman <maord@mellanox.com>
    Reviewed-by: Roi Dayan <roid@mellanox.com>
    Reviewed-by: Raed Salem <raeds@mellanox.com>
    Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 825fc3167cf5c82685fb640d03d1c5028a1cea03
Author: Xin Long <lucien.xin@gmail.com>
Date:   Sun Sep 13 19:37:31 2020 +0800

    tipc: use skb_unshare() instead in tipc_buf_append()
    
    [ Upstream commit ff48b6222e65ebdba5a403ef1deba6214e749193 ]
    
    In tipc_buf_append() it may change skb's frag_list, and it causes
    problems when this skb is cloned. skb_unclone() doesn't really
    make this skb's flag_list available to change.
    
    Shuang Li has reported an use-after-free issue because of this
    when creating quite a few macvlan dev over the same dev, where
    the broadcast packets will be cloned and go up to the stack:
    
     [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0
     [ ] Call Trace:
     [ ]  dump_stack+0x7c/0xb0
     [ ]  print_address_description.constprop.7+0x1a/0x220
     [ ]  kasan_report.cold.10+0x37/0x7c
     [ ]  check_memory_region+0x183/0x1e0
     [ ]  pskb_expand_head+0x86d/0xea0
     [ ]  process_backlog+0x1df/0x660
     [ ]  net_rx_action+0x3b4/0xc90
     [ ]
     [ ] Allocated by task 1786:
     [ ]  kmem_cache_alloc+0xbf/0x220
     [ ]  skb_clone+0x10a/0x300
     [ ]  macvlan_broadcast+0x2f6/0x590 [macvlan]
     [ ]  macvlan_process_broadcast+0x37c/0x516 [macvlan]
     [ ]  process_one_work+0x66a/0x1060
     [ ]  worker_thread+0x87/0xb10
     [ ]
     [ ] Freed by task 3253:
     [ ]  kmem_cache_free+0x82/0x2a0
     [ ]  skb_release_data+0x2c3/0x6e0
     [ ]  kfree_skb+0x78/0x1d0
     [ ]  tipc_recvmsg+0x3be/0xa40 [tipc]
    
    So fix it by using skb_unshare() instead, which would create a new
    skb for the cloned frag and it'll be safe to change its frag_list.
    The similar things were also done in sctp_make_reassembled_event(),
    which is using skb_copy().
    
    Reported-by: Shuang Li <shuali@redhat.com>
    Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function")
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5efc178ebd1221fb5d57cc39e5bb0d3feb82eb5d
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Sat Sep 5 15:14:47 2020 +0900

    tipc: fix shutdown() of connection oriented socket
    
    [ Upstream commit a4b5cc9e10803ecba64a7d54c0f47e4564b4a980 ]
    
    I confirmed that the problem fixed by commit 2a63866c8b51a3f7 ("tipc: fix
    shutdown() of connectionless socket") also applies to stream socket.
    
    ----------
    #include <sys/socket.h>
    #include <unistd.h>
    #include <sys/wait.h>
    
    int main(int argc, char *argv[])
    {
            int fds[2] = { -1, -1 };
            socketpair(PF_TIPC, SOCK_STREAM /* or SOCK_DGRAM */, 0, fds);
            if (fork() == 0)
                    _exit(read(fds[0], NULL, 1));
            shutdown(fds[0], SHUT_RDWR); /* This must make read() return. */
            wait(NULL); /* To be woken up by _exit(). */
            return 0;
    }
    ----------
    
    Since shutdown(SHUT_RDWR) should affect all processes sharing that socket,
    unconditionally setting sk->sk_shutdown to SHUTDOWN_MASK will be the right
    behavior.
    
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Acked-by: Ying Xue <ying.xue@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 586b14ec481c9d6dd9db8994f991dd8725e8b093
Author: Peilin Ye <yepeilin.cs@gmail.com>
Date:   Sun Sep 13 04:06:05 2020 -0400

    tipc: Fix memory leak in tipc_group_create_member()
    
    [ Upstream commit bb3a420d47ab00d7e1e5083286cab15235a96680 ]
    
    tipc_group_add_to_tree() returns silently if `key` matches `nkey` of an
    existing node, causing tipc_group_create_member() to leak memory. Let
    tipc_group_add_to_tree() return an error in such a case, so that
    tipc_group_create_member() can handle it properly.
    
    Fixes: 75da2163dbb6 ("tipc: introduce communication groups")
    Reported-and-tested-by: syzbot+f95d90c454864b3b5bc9@syzkaller.appspotmail.com
    Cc: Hillf Danton <hdanton@sina.com>
    Link: https://syzkaller.appspot.com/bug?id=048390604fe1b60df34150265479202f10e13aff
    Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 83bd58952b2b8543d8c48d1453975ab47a0a7504
Author: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Date:   Wed Sep 9 17:03:11 2020 -0700

    taprio: Fix allowing too small intervals
    
    [ Upstream commit b5b73b26b3ca34574124ed7ae9c5ba8391a7f176 ]
    
    It's possible that the user specifies an interval that couldn't allow
    any packet to be transmitted. This also avoids the issue of the
    hrtimer handler starving the other threads because it's running too
    often.
    
    The solution is to reject interval sizes that according to the current
    link speed wouldn't allow any packet to be transmitted.
    
    Reported-by: syzbot+8267241609ae8c23b248@syzkaller.appspotmail.com
    Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
    Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f705d35a0e93dad3da12c6fefec594c6e29572f7
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Thu Sep 17 10:52:57 2020 -0700

    nfp: use correct define to return NONE fec
    
    [ Upstream commit 5f6857e808a8bd078296575b417c4b9d160b9779 ]
    
    struct ethtool_fecparam carries bitmasks not bit numbers.
    We want to return 1 (NONE), not 0.
    
    Fixes: 0d0870938337 ("nfp: implement ethtool FEC mode settings")
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Reviewed-by: Simon Horman <simon.horman@netronome.com>
    Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 875f6478655bed23f1fae1ce478b922927c76a2d
Author: Henry Ptasinski <hptasinski@google.com>
Date:   Sat Sep 19 00:12:11 2020 +0000

    net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant
    
    [ Upstream commit fe81d9f6182d1160e625894eecb3d7ff0222cac5 ]
    
    When calculating ancestor_size with IPv6 enabled, simply using
    sizeof(struct ipv6_pinfo) doesn't account for extra bytes needed for
    alignment in the struct sctp6_sock. On x86, there aren't any extra
    bytes, but on ARM the ipv6_pinfo structure is aligned on an 8-byte
    boundary so there were 4 pad bytes that were omitted from the
    ancestor_size calculation.  This would lead to corruption of the
    pd_lobby pointers, causing an oops when trying to free the sctp
    structure on socket close.
    
    Fixes: 636d25d557d1 ("sctp: not copy sctp_sock pd_lobby in sctp_copy_descendant")
    Signed-off-by: Henry Ptasinski <hptasinski@google.com>
    Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8844141966922435ad1e262068ec3c19a955484e
Author: Yunsheng Lin <linyunsheng@huawei.com>
Date:   Tue Sep 8 19:02:34 2020 +0800

    net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc
    
    [ Upstream commit 2fb541c862c987d02dfdf28f1545016deecfa0d5 ]
    
    Currently there is concurrent reset and enqueue operation for the
    same lockless qdisc when there is no lock to synchronize the
    q->enqueue() in __dev_xmit_skb() with the qdisc reset operation in
    qdisc_deactivate() called by dev_deactivate_queue(), which may cause
    out-of-bounds access for priv->ring[] in hns3 driver if user has
    requested a smaller queue num when __dev_xmit_skb() still enqueue a
    skb with a larger queue_mapping after the corresponding qdisc is
    reset, and call hns3_nic_net_xmit() with that skb later.
    
    Reused the existing synchronize_net() in dev_deactivate_many() to
    make sure skb with larger queue_mapping enqueued to old qdisc(which
    is saved in dev_queue->qdisc_sleeping) will always be reset when
    dev_reset_queue() is called.
    
    Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking")
    Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 891828a79bbcb337e5045c146c69ccab5de6f6bb
Author: Maor Gottlieb <maorg@nvidia.com>
Date:   Mon Aug 31 20:50:42 2020 +0300

    net/mlx5: Fix FTE cleanup
    
    [ Upstream commit cefc23554fc259114e78a7b0908aac4610ee18eb ]
    
    Currently, when an FTE is allocated, its refcount is decreased to 0
    with the purpose it will not be a stand alone steering object and every
    rule (destination) of the FTE would increase the refcount.
    When mlx5_cleanup_fs is called while not all rules were deleted by the
    steering users, it hit refcount underflow on the FTE once clean_tree
    calls to tree_remove_node after the deleted rules already decreased
    the refcount to 0.
    
    FTE is no longer destroyed implicitly when the last rule (destination)
    is deleted. mlx5_del_flow_rules avoids it by increasing the refcount on
    the FTE and destroy it explicitly after all rules were deleted. So we
    can avoid the refcount underflow by making FTE as stand alone object.
    In addition need to set del_hw_func to FTE so the HW object will be
    destroyed when the FTE is deleted from the cleanup_tree flow.
    
    refcount_t: underflow; use-after-free.
    WARNING: CPU: 2 PID: 15715 at lib/refcount.c:28 refcount_warn_saturate+0xd9/0xe0
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    Call Trace:
     tree_put_node+0xf2/0x140 [mlx5_core]
     clean_tree+0x4e/0xf0 [mlx5_core]
     clean_tree+0x4e/0xf0 [mlx5_core]
     clean_tree+0x4e/0xf0 [mlx5_core]
     clean_tree+0x5f/0xf0 [mlx5_core]
     clean_tree+0x4e/0xf0 [mlx5_core]
     clean_tree+0x5f/0xf0 [mlx5_core]
     mlx5_cleanup_fs+0x26/0x270 [mlx5_core]
     mlx5_unload+0x2e/0xa0 [mlx5_core]
     mlx5_unload_one+0x51/0x120 [mlx5_core]
     mlx5_devlink_reload_down+0x51/0x90 [mlx5_core]
     devlink_reload+0x39/0x120
     ? devlink_nl_cmd_reload+0x43/0x220
     genl_rcv_msg+0x1e4/0x420
     ? genl_family_rcv_msg_attrs_parse+0x100/0x100
     netlink_rcv_skb+0x47/0x110
     genl_rcv+0x24/0x40
     netlink_unicast+0x217/0x2f0
     netlink_sendmsg+0x30f/0x430
     sock_sendmsg+0x30/0x40
     __sys_sendto+0x10e/0x140
     ? handle_mm_fault+0xc4/0x1f0
     ? do_page_fault+0x33f/0x630
     __x64_sys_sendto+0x24/0x30
     do_syscall_64+0x48/0x130
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: 718ce4d601db ("net/mlx5: Consolidate update FTE for all removal changes")
    Fixes: bd71b08ec2ee ("net/mlx5: Support multiple updates of steering rules in parallel")
    Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
    Reviewed-by: Mark Bloch <mbloch@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 242e12aecdd3309dd8cb06f0576278d34755db72
Author: Necip Fazil Yildiran <fazilyildiran@gmail.com>
Date:   Thu Sep 17 19:46:43 2020 +0300

    net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC
    
    [ Upstream commit db7cd91a4be15e1485d6b58c6afc8761c59c4efb ]
    
    When IPV6_SEG6_HMAC is enabled and CRYPTO is disabled, it results in the
    following Kbuild warning:
    
    WARNING: unmet direct dependencies detected for CRYPTO_HMAC
      Depends on [n]: CRYPTO [=n]
      Selected by [y]:
      - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
    
    WARNING: unmet direct dependencies detected for CRYPTO_SHA1
      Depends on [n]: CRYPTO [=n]
      Selected by [y]:
      - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
    
    WARNING: unmet direct dependencies detected for CRYPTO_SHA256
      Depends on [n]: CRYPTO [=n]
      Selected by [y]:
      - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
    
    The reason is that IPV6_SEG6_HMAC selects CRYPTO_HMAC, CRYPTO_SHA1, and
    CRYPTO_SHA256 without depending on or selecting CRYPTO while those configs
    are subordinate to CRYPTO.
    
    Honor the kconfig menu hierarchy to remove kconfig dependency warnings.
    
    Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
    Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d3c2188ee6e644c5159422cbdc892a21653ad38d
Author: Ido Schimmel <idosch@nvidia.com>
Date:   Thu Sep 10 14:01:26 2020 +0300

    net: Fix bridge enslavement failure
    
    [ Upstream commit e1b9efe6baebe79019a2183176686a0e709388ae ]
    
    When a netdev is enslaved to a bridge, its parent identifier is queried.
    This is done so that packets that were already forwarded in hardware
    will not be forwarded again by the bridge device between netdevs
    belonging to the same hardware instance.
    
    The operation fails when the netdev is an upper of netdevs with
    different parent identifiers.
    
    Instead of failing the enslavement, have dev_get_port_parent_id() return
    '-EOPNOTSUPP' which will signal the bridge to skip the query operation.
    Other callers of the function are not affected by this change.
    
    Fixes: 7e1146e8c10c ("net: devlink: introduce devlink_compat_switch_id_get() helper")
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Reported-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
    Reviewed-by: Jiri Pirko <jiri@nvidia.com>
    Reviewed-by: Nikolay Aleksandrov <nikolay@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit acd04a157b33ce93fa4fbcc718ac0327ddd3288c
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Sat Sep 5 12:32:33 2020 +0200

    net: dsa: rtl8366: Properly clear member config
    
    [ Upstream commit 4ddcaf1ebb5e4e99240f29d531ee69d4244fe416 ]
    
    When removing a port from a VLAN we are just erasing the
    member config for the VLAN, which is wrong: other ports
    can be using it.
    
    Just mask off the port and only zero out the rest of the
    member config once ports using of the VLAN are removed
    from it.
    
    Reported-by: Florian Fainelli <f.fainelli@gmail.com>
    Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9139f13e01a324f1c3ed72b4f5a8df4fa177fd53
Author: Petr Machata <petrm@nvidia.com>
Date:   Thu Sep 10 14:09:05 2020 +0200

    net: DCB: Validate DCB_ATTR_DCB_BUFFER argument
    
    [ Upstream commit 297e77e53eadb332d5062913447b104a772dc33b ]
    
    The parameter passed via DCB_ATTR_DCB_BUFFER is a struct dcbnl_buffer. The
    field prio2buffer is an array of IEEE_8021Q_MAX_PRIORITIES bytes, where
    each value is a number of a buffer to direct that priority's traffic to.
    That value is however never validated to lie within the bounds set by
    DCBX_MAX_BUFFERS. The only driver that currently implements the callback is
    mlx5 (maintainers CCd), and that does not do any validation either, in
    particual allowing incorrect configuration if the prio2buffer value does
    not fit into 4 bits.
    
    Instead of offloading the need to validate the buffer index to drivers, do
    it right there in core, and bounce the request if the value is too large.
    
    CC: Parav Pandit <parav@nvidia.com>
    CC: Saeed Mahameed <saeedm@nvidia.com>
    Fixes: e549f6f9c098 ("net/dcb: Add dcbnl buffer attribute")
    Signed-off-by: Petr Machata <petrm@nvidia.com>
    Reviewed-by: Ido Schimmel <idosch@nvidia.com>
    Reviewed-by: Jiri Pirko <jiri@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 450c0c00a5b01ee474454c5923fbe47a462bd6f8
Author: Vladimir Oltean <vladimir.oltean@nxp.com>
Date:   Tue Sep 22 01:07:09 2020 +0300

    net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU
    
    [ Upstream commit 99f62a746066fa436aa15d4606a538569540db08 ]
    
    When calling the RCU brother of br_vlan_get_pvid(), lockdep warns:
    
    =============================
    WARNING: suspicious RCU usage
    5.9.0-rc3-01631-g13c17acb8e38-dirty #814 Not tainted
    -----------------------------
    net/bridge/br_private.h:1054 suspicious rcu_dereference_protected() usage!
    
    Call trace:
     lockdep_rcu_suspicious+0xd4/0xf8
     __br_vlan_get_pvid+0xc0/0x100
     br_vlan_get_pvid_rcu+0x78/0x108
    
    The warning is because br_vlan_get_pvid_rcu() calls nbp_vlan_group()
    which calls rtnl_dereference() instead of rcu_dereference(). In turn,
    rtnl_dereference() calls rcu_dereference_protected() which assumes
    operation under an RCU write-side critical section, which obviously is
    not the case here. So, when the incorrect primitive is used to access
    the RCU-protected VLAN group pointer, READ_ONCE() is not used, which may
    cause various unexpected problems.
    
    I'm sad to say that br_vlan_get_pvid() and br_vlan_get_pvid_rcu() cannot
    share the same implementation. So fix the bug by splitting the 2
    functions, and making br_vlan_get_pvid_rcu() retrieve the VLAN groups
    under proper locking annotations.
    
    Fixes: 7582f5b70f9a ("bridge: add br_vlan_get_pvid_rcu()")
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d0b05f019f843c64dda1347fc3e6459e0e7b7f8f
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 8 01:20:23 2020 -0700

    ipv6: avoid lockdep issue in fib6_del()
    
    [ Upstream commit 843d926b003ea692468c8cc5bea1f9f58dfa8c75 ]
    
    syzbot reported twice a lockdep issue in fib6_del() [1]
    which I think is caused by net->ipv6.fib6_null_entry
    having a NULL fib6_table pointer.
    
    fib6_del() already checks for fib6_null_entry special
    case, we only need to return earlier.
    
    Bug seems to occur very rarely, I have thus chosen
    a 'bug origin' that makes backports not too complex.
    
    [1]
    WARNING: suspicious RCU usage
    5.9.0-rc4-syzkaller #0 Not tainted
    -----------------------------
    net/ipv6/ip6_fib.c:1996 suspicious rcu_dereference_protected() usage!
    
    other info that might help us debug this:
    
    rcu_scheduler_active = 2, debug_locks = 1
    4 locks held by syz-executor.5/8095:
     #0: ffffffff8a7ea708 (rtnl_mutex){+.+.}-{3:3}, at: ppp_release+0x178/0x240 drivers/net/ppp/ppp_generic.c:401
     #1: ffff88804c422dd8 (&net->ipv6.fib6_gc_lock){+.-.}-{2:2}, at: spin_trylock_bh include/linux/spinlock.h:414 [inline]
     #1: ffff88804c422dd8 (&net->ipv6.fib6_gc_lock){+.-.}-{2:2}, at: fib6_run_gc+0x21b/0x2d0 net/ipv6/ip6_fib.c:2312
     #2: ffffffff89bd6a40 (rcu_read_lock){....}-{1:2}, at: __fib6_clean_all+0x0/0x290 net/ipv6/ip6_fib.c:2613
     #3: ffff8880a82e6430 (&tb->tb6_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:359 [inline]
     #3: ffff8880a82e6430 (&tb->tb6_lock){+.-.}-{2:2}, at: __fib6_clean_all+0x107/0x290 net/ipv6/ip6_fib.c:2245
    
    stack backtrace:
    CPU: 1 PID: 8095 Comm: syz-executor.5 Not tainted 5.9.0-rc4-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x198/0x1fd lib/dump_stack.c:118
     fib6_del+0x12b4/0x1630 net/ipv6/ip6_fib.c:1996
     fib6_clean_node+0x39b/0x570 net/ipv6/ip6_fib.c:2180
     fib6_walk_continue+0x4aa/0x8e0 net/ipv6/ip6_fib.c:2102
     fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2150
     fib6_clean_tree+0xdb/0x120 net/ipv6/ip6_fib.c:2230
     __fib6_clean_all+0x120/0x290 net/ipv6/ip6_fib.c:2246
     fib6_clean_all net/ipv6/ip6_fib.c:2257 [inline]
     fib6_run_gc+0x113/0x2d0 net/ipv6/ip6_fib.c:2320
     ndisc_netdev_event+0x217/0x350 net/ipv6/ndisc.c:1805
     notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
     call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2033
     call_netdevice_notifiers_extack net/core/dev.c:2045 [inline]
     call_netdevice_notifiers net/core/dev.c:2059 [inline]
     dev_close_many+0x30b/0x650 net/core/dev.c:1634
     rollback_registered_many+0x3a8/0x1210 net/core/dev.c:9261
     rollback_registered net/core/dev.c:9329 [inline]
     unregister_netdevice_queue+0x2dd/0x570 net/core/dev.c:10410
     unregister_netdevice include/linux/netdevice.h:2774 [inline]
     ppp_release+0x216/0x240 drivers/net/ppp/ppp_generic.c:403
     __fput+0x285/0x920 fs/file_table.c:281
     task_work_run+0xdd/0x190 kernel/task_work.c:141
     tracehook_notify_resume include/linux/tracehook.h:188 [inline]
     exit_to_user_mode_loop kernel/entry/common.c:163 [inline]
     exit_to_user_mode_prepare+0x1e1/0x200 kernel/entry/common.c:190
     syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:265
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: 421842edeaf6 ("net/ipv6: Add fib6_null_entry")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: David Ahern <dsahern@gmail.com>
    Reviewed-by: David Ahern <dsahern@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 860e2cc78c697c95bc749abb20047239fa1722ea
Author: David Ahern <dsahern@kernel.org>
Date:   Mon Sep 14 21:03:54 2020 -0600

    ipv4: Update exception handling for multipath routes via same device
    
    [ Upstream commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 ]
    
    Kfir reported that pmtu exceptions are not created properly for
    deployments where multipath routes use the same device.
    
    After some digging I see 2 compounding problems:
    1. ip_route_output_key_hash_rcu is updating the flowi4_oif *after*
       the route lookup. This is the second use case where this has
       been a problem (the first is related to use of vti devices with
       VRF). I can not find any reason for the oif to be changed after the
       lookup; the code goes back to the start of git. It does not seem
       logical so remove it.
    
    2. fib_lookups for exceptions do not call fib_select_path to handle
       multipath route selection based on the hash.
    
    The end result is that the fib_lookup used to add the exception
    always creates it based using the first leg of the route.
    
    An example topology showing the problem:
    
                     |  host1
                 +------+
                 | eth0 |  .209
                 +------+
                     |
                 +------+
         switch  | br0  |
                 +------+
                     |
           +---------+---------+
           | host2             |  host3
       +------+             +------+
       | eth0 | .250        | eth0 | 192.168.252.252
       +------+             +------+
    
       +-----+             +-----+
       | vti | .2          | vti | 192.168.247.3
       +-----+             +-----+
           \                  /
     =================================
     tunnels
             192.168.247.1/24
    
    for h in host1 host2 host3; do
            ip netns add ${h}
            ip -netns ${h} link set lo up
            ip netns exec ${h} sysctl -wq net.ipv4.ip_forward=1
    done
    
    ip netns add switch
    ip -netns switch li set lo up
    ip -netns switch link add br0 type bridge stp 0
    ip -netns switch link set br0 up
    
    for n in 1 2 3; do
            ip -netns switch link add eth-sw type veth peer name eth-h${n}
            ip -netns switch li set eth-h${n} master br0 up
            ip -netns switch li set eth-sw netns host${n} name eth0
    done
    
    ip -netns host1 addr add 192.168.252.209/24 dev eth0
    ip -netns host1 link set dev eth0 up
    ip -netns host1 route add 192.168.247.0/24 \
            nexthop via 192.168.252.250 dev eth0 nexthop via 192.168.252.252 dev eth0
    
    ip -netns host2 addr add 192.168.252.250/24 dev eth0
    ip -netns host2 link set dev eth0 up
    
    ip -netns host2 addr add 192.168.252.252/24 dev eth0
    ip -netns host3 link set dev eth0 up
    
    ip netns add tunnel
    ip -netns tunnel li set lo up
    ip -netns tunnel li add br0 type bridge
    ip -netns tunnel li set br0 up
    for n in $(seq 11 20); do
            ip -netns tunnel addr add dev br0 192.168.247.${n}/24
    done
    
    for n in 2 3
    do
            ip -netns tunnel link add vti${n} type veth peer name eth${n}
            ip -netns tunnel link set eth${n} mtu 1360 master br0 up
            ip -netns tunnel link set vti${n} netns host${n} mtu 1360 up
            ip -netns host${n} addr add dev vti${n} 192.168.247.${n}/24
    done
    ip -netns tunnel ro add default nexthop via 192.168.247.2 nexthop via 192.168.247.3
    
    ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.11
    ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.15
    ip -netns host1 ro ls cache
    
    Before this patch the cache always shows exceptions against the first
    leg in the multipath route; 192.168.252.250 per this example. Since the
    hash has an initial random seed, you may need to vary the final octet
    more than what is listed. In my tests, using addresses between 11 and 19
    usually found 1 that used both legs.
    
    With this patch, the cache will have exceptions for both legs.
    
    Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions")
    Reported-by: Kfir Itzhak <mastertheknife@gmail.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 583ff79349f905de7fe893a7d7e0331cde8645c0
Author: David Ahern <dsahern@gmail.com>
Date:   Sun Sep 13 12:43:39 2020 -0600

    ipv4: Initialize flowi4_multipath_hash in data path
    
    [ Upstream commit 1869e226a7b3ef75b4f70ede2f1b7229f7157fa4 ]
    
    flowi4_multipath_hash was added by the commit referenced below for
    tunnels. Unfortunately, the patch did not initialize the new field
    for several fast path lookups that do not initialize the entire flow
    struct to 0. Fix those locations. Currently, flowi4_multipath_hash
    is random garbage and affects the hash value computed by
    fib_multipath_hash for multipath selection.
    
    Fixes: 24ba14406c5c ("route: Add multipath_hash in flowi_common to make user-define hash")
    Signed-off-by: David Ahern <dsahern@gmail.com>
    Cc: wenxu <wenxu@ucloud.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f28bc7ea6978cbd894e1d3d7e8f85f8cc6f60a38
Author: Wei Wang <weiwan@google.com>
Date:   Tue Sep 8 14:09:34 2020 -0700

    ip: fix tos reflection in ack and reset packets
    
    [ Upstream commit ba9e04a7ddf4f22a10e05bf9403db6b97743c7bf ]
    
    Currently, in tcp_v4_reqsk_send_ack() and tcp_v4_send_reset(), we
    echo the TOS value of the received packets in the response.
    However, we do not want to echo the lower 2 ECN bits in accordance
    with RFC 3168 6.1.5 robustness principles.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    
    Signed-off-by: Wei Wang <weiwan@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c3de9daa662617132744731f1b4eb7b5cd1270a8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Sep 9 12:46:48 2020 +0300

    hdlc_ppp: add range checks in ppp_cp_parse_cr()
    
    [ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ]
    
    There are a couple bugs here:
    1) If opt[1] is zero then this results in a forever loop.  If the value
       is less than 2 then it is invalid.
    2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
       result in memory corruption.
    
    In the case of LCP_OPTION_ACCM, then  we should check "opt[1]" instead
    of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
    "nak_len" gets out of sync and it can lead to memory corruption in the
    next iterations through the loop.  In case of LCP_OPTION_MAGIC, the
    only valid value for opt[1] is 6, but the code is trying to log invalid
    data so we should only discard the data when "len" is less than 6
    because that leads to a read overflow.
    
    Reported-by: ChenNan Of Chaitin Security Research Lab  <whutchennan@gmail.com>
    Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 745c24fd1d79b588a951d3c5beca43575907f881
Author: Mark Gray <mark.d.gray@redhat.com>
Date:   Wed Sep 16 05:19:35 2020 -0400

    geneve: add transport ports in route lookup for geneve
    
    [ Upstream commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 ]
    
    This patch adds transport ports information for route lookup so that
    IPsec can select Geneve tunnel traffic to do encryption. This is
    needed for OVS/OVN IPsec with encrypted Geneve tunnels.
    
    This can be tested by configuring a host-host VPN using an IKE
    daemon and specifying port numbers. For example, for an
    Openswan-type configuration, the following parameters should be
    configured on both hosts and IPsec set up as-per normal:
    
    $ cat /etc/ipsec.conf
    
    conn in
    ...
    left=$IP1
    right=$IP2
    ...
    leftprotoport=udp/6081
    rightprotoport=udp
    ...
    conn out
    ...
    left=$IP1
    right=$IP2
    ...
    leftprotoport=udp
    rightprotoport=udp/6081
    ...
    
    The tunnel can then be setup using "ip" on both hosts (but
    changing the relevant IP addresses):
    
    $ ip link add tun type geneve id 1000 remote $IP2
    $ ip addr add 192.168.0.1/24 dev tun
    $ ip link set tun up
    
    This can then be tested by pinging from $IP1:
    
    $ ping 192.168.0.2
    
    Without this patch the traffic is unencrypted on the wire.
    
    Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
    Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
    Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
    Reviewed-by: Greg Rose <gvrose8192@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 79cd5858ac05fbb8ca92fdc7ca8c9ed07851e4aa
Author: Ganji Aravind <ganji.aravind@chelsio.com>
Date:   Fri Sep 4 15:58:18 2020 +0530

    cxgb4: Fix offset when clearing filter byte counters
    
    [ Upstream commit 94cc242a067a869c29800aa789d38b7676136e50 ]
    
    Pass the correct offset to clear the stale filter hit
    bytes counter. Otherwise, the counter starts incrementing
    from the stale information, instead of 0.
    
    Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters")
    Signed-off-by: Ganji Aravind <ganji.aravind@chelsio.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2583159735e4e4e6de7950fcd3f475b27bada2c1
Author: Raju Rangoju <rajur@chelsio.com>
Date:   Wed Sep 16 21:50:39 2020 +0530

    cxgb4: fix memory leak during module unload
    
    [ Upstream commit f4a26a9b311d7ff9db461278faf2869d06496ef8 ]
    
    Fix the memory leak in mps during module unload
    path by freeing mps reference entries if the list
    adpter->mps_ref is not already empty
    
    Fixes: 28b3870578ef ("cxgb4: Re-work the logic for mps refcounting")
    Signed-off-by: Raju Rangoju <rajur@chelsio.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6743a9b020fd741061fa3ef200f4c938754220ca
Author: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
Date:   Sat Sep 5 22:55:37 2020 -0400

    bnxt_en: Fix NULL ptr dereference crash in bnxt_fw_reset_task()
    
    [ Upstream commit b16939b59cc00231a75d224fd058d22c9d064976 ]
    
    bnxt_fw_reset_task() which runs from a workqueue can race with
    bnxt_remove_one().  For example, if firmware reset and VF FLR are
    happening at about the same time.
    
    bnxt_remove_one() already cancels the workqueue and waits for it
    to finish, but we need to do this earlier before the devlink
    reporters are destroyed.  This will guarantee that
    the devlink reporters will always be valid when bnxt_fw_reset_task()
    is still running.
    
    Fixes: b148bb238c02 ("bnxt_en: Fix possible crash in bnxt_fw_reset_task().")
    Reviewed-by: Edwin Peer <edwin.peer@broadcom.com>
    Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c7275d7a11abb88b4846e7ef142e7dd7fcea26ef
Author: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
Date:   Sat Sep 5 22:55:36 2020 -0400

    bnxt_en: Avoid sending firmware messages when AER error is detected.
    
    [ Upstream commit b340dc680ed48dcc05b56e1ebe1b9535813c3ee0 ]
    
    When the driver goes through PCIe AER reset in error state, all
    firmware messages will timeout because the PCIe bus is no longer
    accessible.  This can lead to AER reset taking many minutes to
    complete as each firmware command takes time to timeout.
    
    Define a new macro BNXT_NO_FW_ACCESS() to skip these firmware messages
    when either firmware is in fatal error state or when
    pci_channel_offline() is true.  It now takes a more reasonable 20 to
    30 seconds to complete AER recovery.
    
    Fixes: b4fff2079d10 ("bnxt_en: Do not send firmware messages if firmware is in error state.")
    Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 61fd38db76ad432e9b8df4be32e943dc7adea167
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Thu Sep 3 19:10:11 2020 -0700

    act_ife: load meta modules before tcf_idr_check_alloc()
    
    [ Upstream commit cc8e58f8325cdf14b9516b61c384cdfd02a4f408 ]
    
    The following deadlock scenario is triggered by syzbot:
    
    Thread A:                               Thread B:
    tcf_idr_check_alloc()
    ...
    populate_metalist()
      rtnl_unlock()
                                            rtnl_lock()
                                            ...
      request_module()                      tcf_idr_check_alloc()
      rtnl_lock()
    
    At this point, thread A is waiting for thread B to release RTNL
    lock, while thread B is waiting for thread A to commit the IDR
    change with tcf_idr_insert() later.
    
    Break this deadlock situation by preloading ife modules earlier,
    before tcf_idr_check_alloc(), this is fine because we only need
    to load modules we need potentially.
    
    Reported-and-tested-by: syzbot+80e32b5d1f9923f8ace6@syzkaller.appspotmail.com
    Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action")
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Vlad Buslov <vladbu@mellanox.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 263445256cd8fe3d03325587afadb8b275210163
Author: Ralph Campbell <rcampbell@nvidia.com>
Date:   Fri Sep 18 21:20:24 2020 -0700

    mm/thp: fix __split_huge_pmd_locked() for migration PMD
    
    [ Upstream commit ec0abae6dcdf7ef88607c869bf35a4b63ce1b370 ]
    
    A migrating transparent huge page has to already be unmapped.  Otherwise,
    the page could be modified while it is being copied to a new page and data
    could be lost.  The function __split_huge_pmd() checks for a PMD migration
    entry before calling __split_huge_pmd_locked() leading one to think that
    __split_huge_pmd_locked() can handle splitting a migrating PMD.
    
    However, the code always increments the page->_mapcount and adjusts the
    memory control group accounting assuming the page is mapped.
    
    Also, if the PMD entry is a migration PMD entry, the call to
    is_huge_zero_pmd(*pmd) is incorrect because it calls pmd_pfn(pmd) instead
    of migration_entry_to_pfn(pmd_to_swp_entry(pmd)).  Fix these problems by
    checking for a PMD migration entry.
    
    Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path")
    Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Reviewed-by: Yang Shi <shy828301@gmail.com>
    Reviewed-by: Zi Yan <ziy@nvidia.com>
    Cc: Jerome Glisse <jglisse@redhat.com>
    Cc: John Hubbard <jhubbard@nvidia.com>
    Cc: Alistair Popple <apopple@nvidia.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Jason Gunthorpe <jgg@nvidia.com>
    Cc: Bharata B Rao <bharata@linux.ibm.com>
    Cc: Ben Skeggs <bskeggs@redhat.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: <stable@vger.kernel.org>    [4.14+]
    Link: https://lkml.kernel.org/r/20200903183140.19055-1-rcampbell@nvidia.com
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e7b219bc7b59e8e6d2d689c6573db2729c4c359c
Author: Muchun Song <songmuchun@bytedance.com>
Date:   Fri Sep 18 21:20:21 2020 -0700

    kprobes: fix kill kprobe which has been marked as gone
    
    [ Upstream commit b0399092ccebd9feef68d4ceb8d6219a8c0caa05 ]
    
    If a kprobe is marked as gone, we should not kill it again.  Otherwise, we
    can disarm the kprobe more than once.  In that case, the statistics of
    kprobe_ftrace_enabled can unbalance which can lead to that kprobe do not
    work.
    
    Fixes: e8386a0cb22f ("kprobes: support probing module __exit function")
    Co-developed-by: Chengming Zhou <zhouchengming@bytedance.com>
    Signed-off-by: Muchun Song <songmuchun@bytedance.com>
    Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: "Naveen N . Rao" <naveen.n.rao@linux.ibm.com>
    Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Song Liu <songliubraving@fb.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: <stable@vger.kernel.org>
    Link: https://lkml.kernel.org/r/20200822030055.32383-1-songmuchun@bytedance.com
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2906c6acda1563d1e142d9b9acb2a3596bc97a85
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Fri Sep 4 21:07:49 2020 -0700

    ibmvnic: add missing parenthesis in do_reset()
    
    [ Upstream commit 8ae4dff882eb879c17bf46574201bd37fc6bc8b5 ]
    
    Indentation and logic clearly show that this code is missing
    parenthesis.
    
    Fixes: 9f1345737790 ("ibmvnic fix NULL tx_pools and rx_tools issue at do_reset")
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c5ea715792542c54c4735e936532f0364a6904cb
Author: Mingming Cao <mmc@linux.vnet.ibm.com>
Date:   Tue Aug 25 13:26:41 2020 -0400

    ibmvnic fix NULL tx_pools and rx_tools issue at do_reset
    
    [ Upstream commit 9f13457377907fa253aef560e1a37e1ca4197f9b ]
    
    At the time of do_rest, ibmvnic tries to re-initalize the tx_pools
    and rx_pools to avoid re-allocating the long term buffer. However
    there is a window inside do_reset that the tx_pools and
    rx_pools were freed before re-initialized making it possible to deference
    null pointers.
    
    This patch fix this issue by always check the tx_pool
    and rx_pool are not NULL after ibmvnic_login. If so, re-allocating
    the pools. This will avoid getting into calling reset_tx/rx_pools with
    NULL adapter tx_pools/rx_pools pointer. Also add null pointer check in
    reset_tx_pools and reset_rx_pools to safe handle NULL pointer case.
    
    Signed-off-by: Mingming Cao <mmc@linux.vnet.ibm.com>
    Signed-off-by: Dany Madden <drt@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a769bff2333a8212cff4fd8bbe986979bf41c528
Author: Mark Salyzyn <salyzyn@android.com>
Date:   Wed Jul 22 04:00:53 2020 -0700

    af_key: pfkey_dump needs parameter validation
    
    commit 37bd22420f856fcd976989f1d4f1f7ad28e1fcac upstream.
    
    In pfkey_dump() dplen and splen can both be specified to access the
    xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
    when it calls addr_match() with the indexes.  Return EINVAL if either
    are out of range.
    
    Signed-off-by: Mark Salyzyn <salyzyn@android.com>
    Cc: netdev@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Cc: kernel-team@android.com
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>