Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2018-06-20 07:04:16 +0200
committerKernel Build Daemon <kbuild@suse.de>2018-06-20 07:04:16 +0200
commit75f7ece999d647b5059fd70b90d9dc03a6dfcbf4 (patch)
tree8f1b4dd99d7d0887b209350b694d3e64d27ade79
parent6974ad28760e7326fc4cec3d059bb73ce9b21955 (diff)
parentd99d9ba6a4b34f8a7da3b2e33969b893d1581faa (diff)
Merge branch 'SLE15' into SLE15-AZURE
-rw-r--r--blacklist.conf10
-rw-r--r--patches.arch/x86-pti-xenpv-dont-report-as-vulnerable.patch49
-rw-r--r--patches.drivers/0065-iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch46
-rw-r--r--patches.drivers/0125-iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch61
-rw-r--r--patches.drivers/ACPI-scan-Initialize-watchdog-before-PNP.patch3
-rw-r--r--patches.drivers/target-transport-should-handle-st-FM-EOM-ILI-reads.patch178
-rw-r--r--patches.fixes/ceph-fix-st_nlink-stat-for-directories.patch6
-rw-r--r--patches.fixes/firmware-add-helper-to-unregister-pm-ops.patch57
-rw-r--r--patches.fixes/firmware-always-enable-the-reboot-notifier.patch92
-rw-r--r--patches.fixes/firmware-fix-capturing-errors-on-fw_cache_init-on-ea.patch106
-rw-r--r--patches.fixes/firmware-fix-detecting-error-on-register_reboot_noti.patch44
-rw-r--r--patches.fixes/firmware-move-kill_requests_without_uevent-up-above.patch72
-rw-r--r--patches.fixes/firmware-provide-helpers-for-registering-the-syfs-lo.patch81
-rw-r--r--patches.fixes/firmware-share-fw-fallback-killing-on-reboot-suspend.patch94
-rw-r--r--patches.fixes/vti-fix-use-after-free-in-vti_tunnel_xmit-vti6_tnl_x.patch2
-rw-r--r--patches.fixes/x86-do-not-reserve-crash-kernel-if-booted-on-xen-pv.patch60
-rw-r--r--patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch56
-rw-r--r--patches.kabi/kabi-protect-struct-ipv6_pinfo.patch34
-rw-r--r--patches.kabi/kabi-protect-tap_create_cdev.patch83
-rw-r--r--patches.suse/0012-btrfs-allow-backref-search-checks-for-shared-extents.patch2
-rw-r--r--patches.suse/8021q-fix-a-memory-leak-for-VLAN-0-device.patch42
-rw-r--r--patches.suse/8139too-revisit-napi_complete_done-usage.patch44
-rw-r--r--patches.suse/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch69
-rw-r--r--patches.suse/adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch35
-rw-r--r--patches.suse/af_netlink-ensure-that-NLMSG_DONE-never-fails-in-dum.patch111
-rw-r--r--patches.suse/bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch42
-rw-r--r--patches.suse/ethtool-do-not-print-warning-for-applications-using-.patch60
-rw-r--r--patches.suse/fealnx-Fix-building-error-on-MIPS.patch40
-rw-r--r--patches.suse/ip6_gre-fix-device-features-for-ioctl-setup.patch137
-rw-r--r--patches.suse/ip6_gre-ip6gre_tap-device-should-keep-dst.patch29
-rw-r--r--patches.suse/ip6_gre-only-increase-err_count-for-some-certain-typ.patch62
-rw-r--r--patches.suse/ip6_gre-skb_push-ipv6hdr-before-packing-the-header-i.patch73
-rw-r--r--patches.suse/ip6_gre-update-dst-pmtu-if-dev-mtu-has-been-updated-.patch66
-rw-r--r--patches.suse/ip6_tunnel-disable-dst-caching-if-tunnel-is-dual-sta.patch39
-rw-r--r--patches.suse/ip6_tunnel-do-not-allow-loading-ip6_tunnel-if-ipv6-i.patch59
-rw-r--r--patches.suse/ip6_tunnel-update-mtu-properly-for-ARPHRD_ETHER-tunn.patch47
-rw-r--r--patches.suse/ipip-only-increase-err_count-for-some-certain-type-i.patch125
-rw-r--r--patches.suse/ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch56
-rw-r--r--patches.suse/ipv6-Fix-getsockopt-for-sockets-with-default-IPV6_AU.patch59
-rw-r--r--patches.suse/ipv6-flowlabel-do-not-leave-opt-tot_len-with-garbage.patch101
-rw-r--r--patches.suse/ipv6-mcast-better-catch-silly-mtu-values.patch146
-rw-r--r--patches.suse/ipv6-sr-fix-TLVs-not-being-copied-using-setsockopt.patch45
-rw-r--r--patches.suse/iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch (renamed from patches.drivers/iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill)37
-rw-r--r--patches.suse/iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch (renamed from patches.drivers/iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c)27
-rw-r--r--patches.suse/kernel-sys.c-fix-potential-Spectre-v1-issue.patch59
-rw-r--r--patches.suse/mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch65
-rw-r--r--patches.suse/mlxsw-spectrum-Forbid-linking-to-devices-fix.patch39
-rw-r--r--patches.suse/mlxsw-spectrum-Prevent-mirred-related-crash-on-remov.patch95
-rw-r--r--patches.suse/mlxsw-spectrum-Relax-sanity-checks-during-enslavemen.patch63
-rw-r--r--patches.suse/mlxsw-spectrum_router-Fix-NULL-pointer-deref.patch35
-rw-r--r--patches.suse/mlxsw-spectrum_router-Simplify-a-piece-of-code.patch32
-rw-r--r--patches.suse/mremap-Remove-LATENCY_LIMIT-from-mremap-to-reduce-the-number-of-TLB-shootdowns.patch3
-rw-r--r--patches.suse/n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch62
-rw-r--r--patches.suse/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch104
-rw-r--r--patches.suse/net-bonding-Fix-transmit-load-balancing-in-balance-a.patch64
-rw-r--r--patches.suse/net-bonding-fix-tlb_dynamic_lb-default-value.patch62
-rw-r--r--patches.suse/net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch92
-rw-r--r--patches.suse/net-bridge-fix-returning-of-vlan-range-op-errors.patch31
-rw-r--r--patches.suse/net-core-fix-module-type-in-sock_diag_bind.patch27
-rw-r--r--patches.suse/net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch30
-rw-r--r--patches.suse/net-dsa-check-master-device-before-put.patch40
-rw-r--r--patches.suse/net-dsa-mv88e6xxx-lock-mutex-when-freeing-IRQs.patch32
-rw-r--r--patches.suse/net-emac-Fix-napi-poll-list-corruption.patch51
-rw-r--r--patches.suse/net-fec-defer-probe-if-regulator-is-not-ready.patch31
-rw-r--r--patches.suse/net-fec-free-restore-resource-in-related-probe-error.patch36
-rw-r--r--patches.suse/net-fec-restore-dev_id-in-the-cases-of-probe-error.patch27
-rw-r--r--patches.suse/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch42
-rw-r--r--patches.suse/net-igmp-Use-correct-source-address-on-IGMPv3-report.patch85
-rw-r--r--patches.suse/net-igmp-add-a-missing-rcu-locking-section.patch79
-rw-r--r--patches.suse/net-igmp-fix-source-address-check-for-IGMPv3-reports.patch38
-rw-r--r--patches.suse/net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch33
-rw-r--r--patches.suse/net-phy-Fix-mask-value-write-on-gmii2rgmii-converter.patch36
-rw-r--r--patches.suse/net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch28
-rw-r--r--patches.suse/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch36
-rw-r--r--patches.suse/net-qcom-emac-specify-the-correct-size-when-mapping-.patch33
-rw-r--r--patches.suse/net-realtek-r8169-implement-set_link_ksettings.patch98
-rw-r--r--patches.suse/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch115
-rw-r--r--patches.suse/net-remove-hlist_nulls_add_tail_rcu.patch149
-rw-r--r--patches.suse/net-sctp-Always-set-scope_id-in-sctp_inet6_skb_msgna.patch54
-rw-r--r--patches.suse/net-stmmac-enable-EEE-in-MII-GMII-or-RGMII-only.patch43
-rw-r--r--patches.suse/net-systemport-Correct-IPG-length-settings.patch43
-rw-r--r--patches.suse/net-unix-don-t-show-information-about-sockets-from-o.patch36
-rw-r--r--patches.suse/netfilter-ipvs-clear-ipvs_property-flag-when-SKB-net.patch51
-rw-r--r--patches.suse/netlink-do-not-proceed-if-dump-s-start-errs.patch46
-rw-r--r--patches.suse/netlink-do-not-set-cb_running-if-dump-s-start-errs.patch58
-rw-r--r--patches.suse/netlink-put-module-reference-if-dump-start-fails.patch45
-rw-r--r--patches.suse/ppp-fix-race-in-ppp-device-destruction.patch110
-rw-r--r--patches.suse/ptr_ring-add-barriers.patch61
-rw-r--r--patches.suse/qmi_wwan-Add-missing-skb_reset_mac_header-call.patch79
-rw-r--r--patches.suse/sched-numa-Stagger-NUMA-balancing-scan-periods-for-new-threads.patch3
-rw-r--r--patches.suse/sctp-do-not-retransmit-upon-FragNeeded-if-PMTU-disco.patch62
-rw-r--r--patches.suse/sctp-fix-the-handling-of-ICMP-Frag-Needed-for-too-sm.patch129
-rw-r--r--patches.suse/sctp-full-support-for-ipv6-ip_nonlocal_bind-IP_FREEB.patch52
-rw-r--r--patches.suse/sctp-potential-read-out-of-bounds-in-sctp_ulpevent_t.patch43
-rw-r--r--patches.suse/sctp-reset-owner-sk-for-data-chunks-on-out-queues-wh.patch98
-rw-r--r--patches.suse/sctp-use-right-member-as-the-param-of-list_for_each_.patch47
-rw-r--r--patches.suse/sh_eth-fix-SH7757-GEther-initialization.patch48
-rw-r--r--patches.suse/sh_eth-fix-TSU-resource-handling.patch60
-rw-r--r--patches.suse/sit-update-frag_off-info.patch29
-rw-r--r--patches.suse/sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch44
-rw-r--r--patches.suse/stmmac-reset-last-TSO-segment-size-after-device-open.patch38
-rw-r--r--patches.suse/tap-reference-to-KVA-of-an-unloaded-module-causes-ke.patch118
-rw-r--r--patches.suse/tcp-fix-data-delivery-rate.patch48
-rw-r--r--patches.suse/tcp-update-skb-skb_mstamp-more-carefully.patch140
-rw-r--r--patches.suse/tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch67
-rw-r--r--patches.suse/tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch41
-rw-r--r--patches.suse/tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch36
-rw-r--r--patches.suse/tcp_nv-fix-division-by-zero-in-tcpnv_acked.patch29
-rw-r--r--patches.suse/tipc-fix-hanging-poll-for-stream-sockets.patch42
-rw-r--r--patches.suse/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch31
-rw-r--r--patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch33
-rw-r--r--patches.suse/tun-bail-out-from-tun_get_user-if-the-skb-is-empty.patch108
-rw-r--r--patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch79
-rw-r--r--patches.suse/tun-tap-sanitize-TUNSETSNDBUF-input.patch85
-rw-r--r--patches.suse/vlan-fix-a-use-after-free-in-vlan_device_event.patch65
-rw-r--r--patches.suse/vxlan-fix-the-issue-that-neigh-proxy-blocks-all-icmp.patch94
-rw-r--r--series.conf121
117 files changed, 6812 insertions, 143 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 8a9051490e..b55e075440 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -365,3 +365,13 @@ fc218544fbc800d1c91348ec834cacfb257348f7 # requires major changes to libceph fro
dc82e52492f684dcd5ed9e4773e72dbf2203d75e # ALSA core: breaks kABI due to enum renumbering
880cd276dff17ea29e9a8404275c9502b265afa7 # not relevant, bsc#1097471
40c57963789d451c26269e3bc9f9e803060fd9af # ASoC core: breaks kABI
+3a0b3bbbff0f69c59e753dddf97e4e334b7fa997 # rcutorture testing on selftest not run
+8dcd6f3fe206c0bb8996e59386a04027b1c2fb9b # rcutorture testing on selftest not run
+81394e3f6df8f72895354fe29a1ef60cb0765a78 # rcutorture testing on selftest not run
+2adfa4210f8f35cdfb4e08318cc06b99752964c2 # rcutorture testing on selftest not run
+e5ed531dca4f569397ee5df60cd8ea2684c9aeff # rcutorture testing on selftest not run
+1696784eb7b52b13b62d160c028ef2c2c981d4f2 # tools only
+0d665e7b109d512b7cae3ccef6e8654714887844 # not needed, all supported archs have sparsemem_vmemmap
+18a955219bf7d9008ce480d4451b6b8bf4483a22 # not needed, x86 config has CONFIG_HUGETLBFS
+ab1e8d8960b68f54af42b6484b5950bd13a4054b # not needed, no config has NEED_PER_CPU_KM
+fc5d1073cae299de4517755a910df4f12a6a438f # not needed, dead code removal
diff --git a/patches.arch/x86-pti-xenpv-dont-report-as-vulnerable.patch b/patches.arch/x86-pti-xenpv-dont-report-as-vulnerable.patch
new file mode 100644
index 0000000000..905b6efff3
--- /dev/null
+++ b/patches.arch/x86-pti-xenpv-dont-report-as-vulnerable.patch
@@ -0,0 +1,49 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Subject: [PATCH] x86/pti: don't report XenPV as vulnerable
+References: bsc#1097551
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
+Git-commit: 66aa6b5cbc359331fc054e96bb49e9502bc0b1d9
+
+Xen PV domain kernel is not by design affected by meltdown as it's enforcing
+split CR3 itself. Let's not report such systems as "Vulnerable" in sysfs (we're
+also already forcing PTI to off in X86_HYPER_XEN_PV cases); the
+security of the system ultimately depends on presence of mitigation in
+Hypervisor, which can't be easily detected from DomU; let's report that.
+
+Reported-and-tested-by: Mike Latimer <mlatimer@suse.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Juergen Gross <jgross@suse.com>
+Cc: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1806180959080.6203@cbobk.fhfr.pm
+---
+ arch/x86/kernel/cpu/bugs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index cd0fda1fff6d..57638396a254 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -27,6 +27,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/set_memory.h>
+ #include <asm/intel-family.h>
++#include <asm/hypervisor.h>
+
+ static void __init spectre_v2_select_mitigation(void);
+ static void __init ssb_select_mitigation(void);
+@@ -664,6 +665,10 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
+ if (boot_cpu_has(X86_FEATURE_PTI))
+ return sprintf(buf, "Mitigation: PTI\n");
+
++ if (hypervisor_is_type(X86_HYPER_XEN_PV))
++ return sprintf(buf, "Unknown (XEN PV detected, hypervisor "
++ "mitigation required)\n");
++
+ break;
+
+ case X86_BUG_SPECTRE_V1:
+--
+2.12.3
+
diff --git a/patches.drivers/0065-iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch b/patches.drivers/0065-iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch
deleted file mode 100644
index 7ee7a0c18f..0000000000
--- a/patches.drivers/0065-iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 7991eb4620b7a0ef0496ea5cab4b062e7853334b Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Tue, 25 Apr 2017 10:21:18 +0200
-Subject: [PATCH 065/146] iwlwifi: mvm: don't warn in queue sync on RF-kill
-Git-commit: 6ad0435991482107664f65b7ae3fd588f10149d4
-Patch-mainline: v4.13
-References: FATE#322675
-
-If we happen to be in or get into the queue sync when RF-kill
-is asserted, we return from there and warn since there are
-still queue sync notifications outstanding. These can't ever
-come though, because we're in RF-kill, so don't WARN then.
-
-While at it, also move the warning to the appropriate place,
-if the request is not synchronous then we shouldn't warn, but
-currently always will.
-
-To make it fast, also trigger the waitq when on rfkill assert.
-
-Fixes: 0636b938214c ("iwlwifi: mvm: implement driver RX queues sync command")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
-Signed-off-by: Oliver Neukum <oneukum@suse.com>
----
- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
-+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
-@@ -1094,6 +1094,16 @@ static void iwl_mvm_wake_sw_queue(struct
- iwl_mvm_start_mac_queues(mvm, mq);
- }
-
-+static void iwl_mvm_set_rfkill_state(struct iwl_mvm *mvm)
-+{
-+ bool state = iwl_mvm_is_radio_killed(mvm);
-+
-+ if (state)
-+ wake_up(&mvm->rx_sync_waitq);
-+
-+ wiphy_rfkill_set_hw_state(mvm->hw->wiphy, state);
-+}
-+
- void iwl_mvm_set_hw_ctkill_state(struct iwl_mvm *mvm, bool state)
- {
- if (state)
diff --git a/patches.drivers/0125-iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch b/patches.drivers/0125-iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch
deleted file mode 100644
index 00b887b095..0000000000
--- a/patches.drivers/0125-iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 791c58b7dc7279b6f819dc94a5d2f3fd5f8ffb35 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 22 Jun 2017 13:06:21 +0200
-Subject: [PATCH 125/146] iwlwifi: mvm: remove DQA non-STA client mode special
- case
-Git-commit: 6e46496302df7e63158fa1476cf9a30d5ee59dee
-Patch-mainline: v4.13
-References: FATE#322675
-
-When we get a non-STA frame to transmit in client mode, we try to use
-the IWL_MVM_DQA_BSS_CLIENT_QUEUE queue (queue #4). However, at this
-point, the queue might not be allocated at all, causing warnings. The
-scenario on which this happened was a race condition between mac80211
-and our queue allocation work:
- * mac80211 sends auth
- * we stop mac80211 queues to allocate a hw queue
- * authentication is aborted
- * we allocate HW queue and start mac80211 queues
- * mac80211 removes station
- * mac80211 hands us the auth frame from the pending queue
-
-At this point, since mac80211 has already removed the station, we try
-to transmit the frame through this special non-station case on queue
-4 anyway.
-
-In order to really use it properly, we'd have to again go through the
-hw queue allocation work, and attach it to a station, etc. In this
-case that isn't possible (there's no station anymore), but if this
-special case were needed, then we'd have to do it this way.
-
-However, the special case is documented to exist for TDLS, but can't
-trigger there because the TDLS setup frames etc. are normal to-DS
-frames going to the peer through the AP. Testing also confirms that
-this code path isn't triggered in TDLS.
-
-Therefore, remove the code path to avoid using an unused queue. The
-erroneous frame described above will still be transmitted on the AUX
-queue, but arguably that's a mac80211 problem, which will eventually
-be fixed by moving everything there to TXQs.
-
-Fixes: e3118ad74d7e ("iwlwifi: mvm: support tdls in dqa mode")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
-Signed-off-by: Oliver Neukum <oneukum@suse.com>
----
- drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 4 ----
- 1 file changed, 4 deletions(-)
-
---- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
-+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
-@@ -653,10 +653,6 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
- if (ap_sta_id != IWL_MVM_INVALID_STA)
- sta_id = ap_sta_id;
- } else if (iwl_mvm_is_dqa_supported(mvm) &&
-- info.control.vif->type == NL80211_IFTYPE_STATION &&
-- queue != mvm->aux_queue) {
-- queue = IWL_MVM_DQA_BSS_CLIENT_QUEUE;
-- } else if (iwl_mvm_is_dqa_supported(mvm) &&
- info.control.vif->type == NL80211_IFTYPE_MONITOR) {
- queue = mvm->aux_queue;
- }
diff --git a/patches.drivers/ACPI-scan-Initialize-watchdog-before-PNP.patch b/patches.drivers/ACPI-scan-Initialize-watchdog-before-PNP.patch
index c27761bf79..2f51354a21 100644
--- a/patches.drivers/ACPI-scan-Initialize-watchdog-before-PNP.patch
+++ b/patches.drivers/ACPI-scan-Initialize-watchdog-before-PNP.patch
@@ -3,8 +3,7 @@ From: Mika Westerberg <mika.westerberg@linux.intel.com>
Date: Thu, 19 Apr 2018 13:08:37 +0300
Subject: [PATCH] ACPI / scan: Initialize watchdog before PNP
Git-commit: cc6a0e315a68e5db85bea347b0c5b0fe4a9a5904
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm.git
-Patch-mainline: Queued in subsystem maintainer repository
+Patch-mainline: 4.17-rc3
References: bsc#1073960
At least on one Dell system the PNP motherboard resources device
diff --git a/patches.drivers/target-transport-should-handle-st-FM-EOM-ILI-reads.patch b/patches.drivers/target-transport-should-handle-st-FM-EOM-ILI-reads.patch
new file mode 100644
index 0000000000..2c2409d1cf
--- /dev/null
+++ b/patches.drivers/target-transport-should-handle-st-FM-EOM-ILI-reads.patch
@@ -0,0 +1,178 @@
+From b39f109e0d4abdb48d7d00b355a0d7bb808a13cf Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Tue, 15 May 2018 18:11:53 -0700
+Subject: [PATCH] target: transport should handle st FM/EOM/ILI reads
+Patch-mainline: Submitted, linux-scsi ML
+References: bsc#1081599
+
+When a tape drive is exported via LIO using the pscsi module, a read that
+requests more bytes per block than the tape can supply returns an empty
+buffer. This is because the pscsi pass-through target module sees the
+"ILI" illegal length bit set and thinks there is no reason to return
+the data.
+
+This is a long-standing transport issue, since it assumes that no data
+need be returned under a check condition, which isn't always the case
+for tape.
+
+Add in a check for tape reads with the ILI, EOM, or FM bits set,
+with a sense code of NO_SENSE, treating such cases as if the read
+succeeded. The layered tape driver then "does the right thing" when
+it gets such a response.
+
+Changes from v3:
+ - cleaned up comment
+ - Added residual handling
+
+Changes from v2:
+ - Cleaned up subject line and bug text formatting
+ - Removed unneeded inner braces
+ - Removed ugly goto
+ - Also updated the "queue full" path to handle this case
+
+Changes from RFC:
+ - Moved ugly code from transport to pscsi module
+ - Added checking EOM and FM bits, as well as ILI
+ - fixed malformed patch
+ - Clarified description a bit
+
+Signed-off-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Bodo Stroesser <bstroesser@ts.fujitsu.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/target/target_core_pscsi.c | 26 ++++++++++++++++++-
+ drivers/target/target_core_transport.c | 43 ++++++++++++++++++++++++++++-----
+ include/target/target_core_base.h | 1
+ 3 files changed, 62 insertions(+), 8 deletions(-)
+
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -689,8 +689,29 @@ after_mode_sense:
+ }
+ after_mode_select:
+
+- if (scsi_status == SAM_STAT_CHECK_CONDITION)
++ if (scsi_status == SAM_STAT_CHECK_CONDITION) {
+ transport_copy_sense_to_cmd(cmd, req_sense);
++
++ /*
++ * check for TAPE device reads with
++ * FM/EOM/ILI set, so that we can get data
++ * back despite framework assumption that a
++ * check condition means there is no data
++ */
++ if (sd->type == TYPE_TAPE &&
++ cmd->data_direction == DMA_FROM_DEVICE) {
++ /*
++ * is sense data valid, fixed format,
++ * and have FM, EOM, or ILI set?
++ */
++ if (req_sense[0] == 0xf0 && /* valid, fixed format */
++ req_sense[2] & 0xe0 && /* FM, EOM, or ILI */
++ (req_sense[2] & 0xf) == 0) { /* key==NO_SENSE */
++ pr_debug("Tape FM/EOM/ILI status detected. Treat as normal read.\n");
++ cmd->se_cmd_flags |= SCF_TREAT_READ_AS_NORMAL;
++ }
++ }
++ }
+ }
+
+ enum {
+@@ -1061,7 +1082,8 @@ static void pscsi_req_done(struct reques
+
+ switch (host_byte(result)) {
+ case DID_OK:
+- target_complete_cmd(cmd, scsi_status);
++ target_complete_cmd_with_length(cmd, scsi_status,
++ cmd->data_length - scsi_req(req)->resid_len);
+ break;
+ default:
+ pr_debug("PSCSI Host Byte exception at cmd: %p CDB:"
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -795,7 +795,9 @@ EXPORT_SYMBOL(target_complete_cmd_with_s
+
+ void target_complete_cmd_with_length(struct se_cmd *cmd, u8 scsi_status, int length)
+ {
+- if (scsi_status == SAM_STAT_GOOD && length < cmd->data_length) {
++ if ((scsi_status == SAM_STAT_GOOD ||
++ cmd->se_cmd_flags & SCF_TREAT_READ_AS_NORMAL) &&
++ length < cmd->data_length) {
+ if (cmd->se_cmd_flags & SCF_UNDERFLOW_BIT) {
+ cmd->residual_count += cmd->data_length - length;
+ } else {
+@@ -2090,12 +2092,24 @@ static void transport_complete_qf(struct
+ goto queue_status;
+ }
+
+- if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE)
++ /*
++ * Check if we need to send a sense buffer from
++ * the struct se_cmd in question. We do NOT want
++ * to take this path of the IO has been marked as
++ * needing to be treated like a "normal read". This
++ * is the case if it's a tape read, and either the
++ * FM, EOM, or ILI bits are set, but there is no
++ * sense data.
++ */
++ if (!(cmd->se_cmd_flags & SCF_TREAT_READ_AS_NORMAL) &&
++ cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE)
+ goto queue_status;
+
+ switch (cmd->data_direction) {
+ case DMA_FROM_DEVICE:
+- if (cmd->scsi_status)
++ /* queue status if not treating this as a normal read */
++ if (cmd->scsi_status &&
++ !(cmd->se_cmd_flags & SCF_TREAT_READ_AS_NORMAL))
+ goto queue_status;
+
+ trace_target_cmd_complete(cmd);
+@@ -2200,9 +2214,15 @@ static void target_complete_ok_work(stru
+
+ /*
+ * Check if we need to send a sense buffer from
+- * the struct se_cmd in question.
++ * the struct se_cmd in question. We do NOT want
++ * to take this path of the IO has been marked as
++ * needing to be treated like a "normal read". This
++ * is the case if it's a tape read, and either the
++ * FM, EOM, or ILI bits are set, but there is no
++ * sense data.
+ */
+- if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
++ if (!(cmd->se_cmd_flags & SCF_TREAT_READ_AS_NORMAL) &&
++ cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
+ WARN_ON(!cmd->scsi_status);
+ ret = transport_send_check_condition_and_sense(
+ cmd, 0, 1);
+@@ -2244,7 +2264,18 @@ static void target_complete_ok_work(stru
+ queue_rsp:
+ switch (cmd->data_direction) {
+ case DMA_FROM_DEVICE:
+- if (cmd->scsi_status)
++ /*
++ * if this is a READ-type IO, but SCSI status
++ * is set, then skip returning data and just
++ * return the status -- unless this IO is marked
++ * as needing to be treated as a normal read,
++ * in which case we want to go ahead and return
++ * the data. This happens, for example, for tape
++ * reads with the FM, EOM, or ILI bits set, with
++ * no sense data.
++ */
++ if (cmd->scsi_status &&
++ !(cmd->se_cmd_flags & SCF_TREAT_READ_AS_NORMAL))
+ goto queue_status;
+
+ atomic_long_add(cmd->data_length,
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -144,6 +144,7 @@ enum se_cmd_flags_table {
+ SCF_ACK_KREF = 0x00400000,
+ SCF_USE_CPUID = 0x00800000,
+ SCF_TASK_ATTR_SET = 0x01000000,
++ SCF_TREAT_READ_AS_NORMAL = 0x02000000,
+ };
+
+ /*
diff --git a/patches.fixes/ceph-fix-st_nlink-stat-for-directories.patch b/patches.fixes/ceph-fix-st_nlink-stat-for-directories.patch
index 6a2685ac52..1e73be852b 100644
--- a/patches.fixes/ceph-fix-st_nlink-stat-for-directories.patch
+++ b/patches.fixes/ceph-fix-st_nlink-stat-for-directories.patch
@@ -1,9 +1,8 @@
From: Luis Henriques <lhenriques@suse.com>
Date: Mon, 21 May 2018 10:27:29 +0100
Subject: ceph: fix st_nlink stat for directories
-Patch-mainline: Queued in subsystem maintainer repository
-Git-repo: git://github.com/ceph/ceph-client
-Git-commit: 2ddcb9a1b4c7a07f322090677334bbfeee0206d9
+Git-commit: 8c6286f1c69743ebdb2ee15f9165f9c4d44eef49
+Patch-mainline: v4.18-rc1
References: bsc#1093904
Currently, calling stat on a cephfs directory returns 1 for st_nlink.
@@ -18,6 +17,7 @@ This patch modifies the kernel client to have a similar behaviour.
Link: https://tracker.ceph.com/issues/23873
Signed-off-by: Luis Henriques <lhenriques@suse.com>
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---
fs/ceph/inode.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/patches.fixes/firmware-add-helper-to-unregister-pm-ops.patch b/patches.fixes/firmware-add-helper-to-unregister-pm-ops.patch
new file mode 100644
index 0000000000..b8f3514180
--- /dev/null
+++ b/patches.fixes/firmware-add-helper-to-unregister-pm-ops.patch
@@ -0,0 +1,57 @@
+From a67e503b67a8b0d99c3fa96ae6c254ca5d8bb2ba Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Mon, 20 Nov 2017 09:45:31 -0800
+Subject: [PATCH] firmware: add helper to unregister pm ops
+Git-commit: a67e503b67a8b0d99c3fa96ae6c254ca5d8bb2ba
+Patch-mainline: v4.16-rc1
+References: bsc#1085937
+
+This will be used later to unfold on error on init.
+
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
+---
+ drivers/base/firmware_class.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index 4b57cf5bc81d..149413a376cf 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -1767,11 +1767,20 @@ static int fw_suspend(void)
+ static struct syscore_ops fw_syscore_ops = {
+ .suspend = fw_suspend,
+ };
++
++static inline void unregister_fw_pm_ops(void)
++{
++ unregister_syscore_ops(&fw_syscore_ops);
++ unregister_pm_notifier(&fw_cache.pm_notify);
++}
+ #else
+ static int fw_cache_piggyback_on_request(const char *name)
+ {
+ return 0;
+ }
++static inline void unregister_fw_pm_ops(void)
++{
++}
+ #endif
+
+ static void __init fw_cache_init(void)
+@@ -1823,10 +1832,7 @@ static int __init firmware_class_init(void)
+
+ static void __exit firmware_class_exit(void)
+ {
+-#ifdef CONFIG_PM_SLEEP
+- unregister_syscore_ops(&fw_syscore_ops);
+- unregister_pm_notifier(&fw_cache.pm_notify);
+-#endif
++ unregister_fw_pm_ops();
+ unregister_reboot_notifier(&fw_shutdown_nb);
+ #ifdef CONFIG_FW_LOADER_USER_HELPER
+ class_unregister(&firmware_class);
+--
+2.16.3
+
diff --git a/patches.fixes/firmware-always-enable-the-reboot-notifier.patch b/patches.fixes/firmware-always-enable-the-reboot-notifier.patch
new file mode 100644
index 0000000000..a7565e7327
--- /dev/null
+++ b/patches.fixes/firmware-always-enable-the-reboot-notifier.patch
@@ -0,0 +1,92 @@
+From a669f04ab4b4d7e5a7ac8250f0b688a07e10b04c Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Tue, 2 May 2017 01:31:04 -0700
+Subject: [PATCH] firmware: always enable the reboot notifier
+Git-commit: a669f04ab4b4d7e5a7ac8250f0b688a07e10b04c
+Patch-mainline: v4.13-rc1
+References: bsc#1085937
+
+Now that we've have proper wrappers for the fallback mechanism
+we can easily share the reboot notifier for the firmware_class
+at all times.
+
+This change will make subsequent modifications to the reboot
+notifier easier to review.
+
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
+---
+ drivers/base/firmware_class.c | 37 ++++++++++++++++++-------------------
+ 1 file changed, 18 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index 58b661df6d34..dd9b7f3d0927 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -575,23 +575,6 @@ static void kill_pending_fw_fallback_reqs(bool only_kill_custom)
+ mutex_unlock(&fw_lock);
+ }
+
+-/* reboot notifier for avoid deadlock with usermode_lock */
+-static int fw_shutdown_notify(struct notifier_block *unused1,
+- unsigned long unused2, void *unused3)
+-{
+- /*
+- * Kill all pending fallback requests to avoid both stalling shutdown,
+- * and avoid a deadlock with the usermode_lock.
+- */
+- kill_pending_fw_fallback_reqs(false);
+-
+- return NOTIFY_DONE;
+-}
+-
+-static struct notifier_block fw_shutdown_nb = {
+- .notifier_call = fw_shutdown_notify,
+-};
+-
+ static ssize_t timeout_show(struct class *class, struct class_attribute *attr,
+ char *buf)
+ {
+@@ -1782,11 +1765,27 @@ static void __init fw_cache_init(void)
+ #endif
+ }
+
++static int fw_shutdown_notify(struct notifier_block *unused1,
++ unsigned long unused2, void *unused3)
++{
++ /*
++ * Kill all pending fallback requests to avoid both stalling shutdown,
++ * and avoid a deadlock with the usermode_lock.
++ */
++ kill_pending_fw_fallback_reqs(false);
++
++ return NOTIFY_DONE;
++}
++
++static struct notifier_block fw_shutdown_nb = {
++ .notifier_call = fw_shutdown_notify,
++};
++
+ static int __init firmware_class_init(void)
+ {
+ fw_cache_init();
+-#ifdef CONFIG_FW_LOADER_USER_HELPER
+ register_reboot_notifier(&fw_shutdown_nb);
++#ifdef CONFIG_FW_LOADER_USER_HELPER
+ return class_register(&firmware_class);
+ #else
+ return 0;
+@@ -1799,8 +1798,8 @@ static void __exit firmware_class_exit(void)
+ unregister_syscore_ops(&fw_syscore_ops);
+ unregister_pm_notifier(&fw_cache.pm_notify);
+ #endif
+-#ifdef CONFIG_FW_LOADER_USER_HELPER
+ unregister_reboot_notifier(&fw_shutdown_nb);
++#ifdef CONFIG_FW_LOADER_USER_HELPER
+ class_unregister(&firmware_class);
+ #endif
+ }
+--
+2.16.3
+
diff --git a/patches.fixes/firmware-fix-capturing-errors-on-fw_cache_init-on-ea.patch b/patches.fixes/firmware-fix-capturing-errors-on-fw_cache_init-on-ea.patch
new file mode 100644
index 0000000000..979d367bd4
--- /dev/null
+++ b/patches.fixes/firmware-fix-capturing-errors-on-fw_cache_init-on-ea.patch
@@ -0,0 +1,106 @@
+From 59b6d859ff0e36872396afdd3d853036408a87dc Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Mon, 20 Nov 2017 09:45:32 -0800
+Subject: [PATCH] firmware: fix capturing errors on fw_cache_init() on early
+ init
+Git-commit: 59b6d859ff0e36872396afdd3d853036408a87dc
+Patch-mainline: v4.16-rc1
+References: bsc#1085937
+
+register_pm_notifier() can technically fail, caputure this.
+Note that register_syscore_ops() cannot fail given it just
+adds an element to a linked list. This has been broken since
+v3.7. Chances of this failing however are slim.
+
+To improve code readability move the code folded under CONFIG_PM_SLEEP
+into a helper.
+
+Fixes: 07646d9c0938d ("firmware loader: cache devices firmware during suspend/resume cycle")
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
+---
+ drivers/base/firmware_class.c | 45 ++++++++++++++++++++++++++++++-------------
+ 1 file changed, 32 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index 149413a376cf..c8033c5488f9 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -1768,6 +1768,26 @@ static struct syscore_ops fw_syscore_ops = {
+ .suspend = fw_suspend,
+ };
+
++static int __init register_fw_pm_ops(void)
++{
++ int ret;
++
++ spin_lock_init(&fw_cache.name_lock);
++ INIT_LIST_HEAD(&fw_cache.fw_names);
++
++ INIT_DELAYED_WORK(&fw_cache.work,
++ device_uncache_fw_images_work);
++
++ fw_cache.pm_notify.notifier_call = fw_pm_notify;
++ ret = register_pm_notifier(&fw_cache.pm_notify);
++ if (ret)
++ return ret;
++
++ register_syscore_ops(&fw_syscore_ops);
++
++ return ret;
++}
++
+ static inline void unregister_fw_pm_ops(void)
+ {
+ unregister_syscore_ops(&fw_syscore_ops);
+@@ -1778,6 +1798,10 @@ static int fw_cache_piggyback_on_request(const char *name)
+ {
+ return 0;
+ }
++static inline int register_fw_pm_ops(void)
++{
++ return 0;
++}
+ static inline void unregister_fw_pm_ops(void)
+ {
+ }
+@@ -1788,19 +1812,6 @@ static void __init fw_cache_init(void)
+ spin_lock_init(&fw_cache.lock);
+ INIT_LIST_HEAD(&fw_cache.head);
+ fw_cache.state = FW_LOADER_NO_CACHE;
+-
+-#ifdef CONFIG_PM_SLEEP
+- spin_lock_init(&fw_cache.name_lock);
+- INIT_LIST_HEAD(&fw_cache.fw_names);
+-
+- INIT_DELAYED_WORK(&fw_cache.work,
+- device_uncache_fw_images_work);
+-
+- fw_cache.pm_notify.notifier_call = fw_pm_notify;
+- register_pm_notifier(&fw_cache.pm_notify);
+-
+- register_syscore_ops(&fw_syscore_ops);
+-#endif
+ }
+
+ static int fw_shutdown_notify(struct notifier_block *unused1,
+@@ -1821,7 +1832,15 @@ static struct notifier_block fw_shutdown_nb = {
+
+ static int __init firmware_class_init(void)
+ {
++ int ret;
++
++ /* No need to unfold these on exit */
+ fw_cache_init();
++
++ ret = register_fw_pm_ops();
++ if (ret)
++ return ret;
++
+ register_reboot_notifier(&fw_shutdown_nb);
+ #ifdef CONFIG_FW_LOADER_USER_HELPER
+ return class_register(&firmware_class);
+--
+2.16.3
+
diff --git a/patches.fixes/firmware-fix-detecting-error-on-register_reboot_noti.patch b/patches.fixes/firmware-fix-detecting-error-on-register_reboot_noti.patch
new file mode 100644
index 0000000000..3095c11274
--- /dev/null
+++ b/patches.fixes/firmware-fix-detecting-error-on-register_reboot_noti.patch
@@ -0,0 +1,44 @@
+From 561a10b6a15b531de359ccfc489488c733bb2821 Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Mon, 20 Nov 2017 09:45:34 -0800
+Subject: [PATCH] firmware: fix detecting error on register_reboot_notifier()
+Git-commit: 561a10b6a15b531de359ccfc489488c733bb2821
+Patch-mainline: v4.16-rc1
+References: bsc#1085936
+
+register_reboot_notifier() can fail, detect this and address this
+failure. This has been broken since v3.11, however the chances of
+this failing here is really low.
+
+Fixes: fe304143b0c3d ("firmware: Avoid deadlock of usermodehelper lock at shutdown")
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
+---
+ drivers/base/firmware_class.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index 3340a17e0499..7ab54f2b032f 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -1860,8 +1860,15 @@ static int __init firmware_class_init(void)
+ if (ret)
+ return ret;
+
+- register_reboot_notifier(&fw_shutdown_nb);
++ ret = register_reboot_notifier(&fw_shutdown_nb);
++ if (ret)
++ goto out;
++
+ return register_sysfs_loader();
++
++out:
++ unregister_fw_pm_ops();
++ return ret;
+ }
+
+ static void __exit firmware_class_exit(void)
+--
+2.16.3
+
diff --git a/patches.fixes/firmware-move-kill_requests_without_uevent-up-above.patch b/patches.fixes/firmware-move-kill_requests_without_uevent-up-above.patch
new file mode 100644
index 0000000000..71b1cab84d
--- /dev/null
+++ b/patches.fixes/firmware-move-kill_requests_without_uevent-up-above.patch
@@ -0,0 +1,72 @@
+From 6383331d8f390da68e5cb3e9184b5c99429c4545 Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Tue, 2 May 2017 01:31:02 -0700
+Subject: [PATCH] firmware: move kill_requests_without_uevent() up above
+Git-commit: 6383331d8f390da68e5cb3e9184b5c99429c4545
+Patch-mainline: v4.13-rc1
+References: bsc#1085937
+
+This routine will used in functions declared earlier next. This
+code shift has no functional changes, it will make subsequent
+changes easier to read.
+
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
+---
+ drivers/base/firmware_class.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index ac350c518e0c..900b139668e8 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -562,6 +562,22 @@ static void fw_load_abort(struct firmware_priv *fw_priv)
+
+ static LIST_HEAD(pending_fw_head);
+
++#ifdef CONFIG_PM_SLEEP
++/* kill pending requests without uevent to avoid blocking suspend */
++static void kill_requests_without_uevent(void)
++{
++ struct firmware_buf *buf;
++ struct firmware_buf *next;
++
++ mutex_lock(&fw_lock);
++ list_for_each_entry_safe(buf, next, &pending_fw_head, pending_list) {
++ if (!buf->need_uevent)
++ __fw_load_abort(buf);
++ }
++ mutex_unlock(&fw_lock);
++}
++#endif
++
+ /* reboot notifier for avoid deadlock with usermode_lock */
+ static int fw_shutdown_notify(struct notifier_block *unused1,
+ unsigned long unused2, void *unused3)
+@@ -1048,22 +1064,6 @@ static int fw_load_from_user_helper(struct firmware *firmware,
+ return _request_firmware_load(fw_priv, opt_flags, timeout);
+ }
+
+-#ifdef CONFIG_PM_SLEEP
+-/* kill pending requests without uevent to avoid blocking suspend */
+-static void kill_requests_without_uevent(void)
+-{
+- struct firmware_buf *buf;
+- struct firmware_buf *next;
+-
+- mutex_lock(&fw_lock);
+- list_for_each_entry_safe(buf, next, &pending_fw_head, pending_list) {
+- if (!buf->need_uevent)
+- __fw_load_abort(buf);
+- }
+- mutex_unlock(&fw_lock);
+-}
+-#endif
+-
+ #else /* CONFIG_FW_LOADER_USER_HELPER */
+ static inline int
+ fw_load_from_user_helper(struct firmware *firmware, const char *name,
+--
+2.16.3
+
diff --git a/patches.fixes/firmware-provide-helpers-for-registering-the-syfs-lo.patch b/patches.fixes/firmware-provide-helpers-for-registering-the-syfs-lo.patch
new file mode 100644
index 0000000000..d7db4d33c0
--- /dev/null
+++ b/patches.fixes/firmware-provide-helpers-for-registering-the-syfs-lo.patch
@@ -0,0 +1,81 @@
+From 6bb9cf3aa3edf5968877d3f7863e232d4b9394a4 Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Mon, 20 Nov 2017 09:45:33 -0800
+Subject: [PATCH] firmware: provide helpers for registering the syfs loader
+Git-commit: 6bb9cf3aa3edf5968877d3f7863e232d4b9394a4
+Patch-mainline: v4.16-rc1
+References: bsc#1085937
+
+This makes init / exit much easier to read, and we can later
+reuse this code on other errors not captured yet.
+
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
+---
+ drivers/base/firmware_class.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index c8033c5488f9..3340a17e0499 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -687,6 +687,16 @@ static struct class firmware_class = {
+ .dev_release = fw_dev_release,
+ };
+
++static inline int register_sysfs_loader(void)
++{
++ return class_register(&firmware_class);
++}
++
++static inline void unregister_sysfs_loader(void)
++{
++ class_unregister(&firmware_class);
++}
++
+ static ssize_t firmware_loading_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+@@ -1124,6 +1134,15 @@ fw_load_from_user_helper(struct firmware *firmware, const char *name,
+
+ static inline void kill_pending_fw_fallback_reqs(bool only_kill_custom) { }
+
++static inline int register_sysfs_loader(void)
++{
++ return 0;
++}
++
++static inline void unregister_sysfs_loader(void)
++{
++}
++
+ #endif /* CONFIG_FW_LOADER_USER_HELPER */
+
+ /* prepare firmware and firmware_buf structs;
+@@ -1842,20 +1861,14 @@ static int __init firmware_class_init(void)
+ return ret;
+
+ register_reboot_notifier(&fw_shutdown_nb);
+-#ifdef CONFIG_FW_LOADER_USER_HELPER
+- return class_register(&firmware_class);
+-#else
+- return 0;
+-#endif
++ return register_sysfs_loader();
+ }
+
+ static void __exit firmware_class_exit(void)
+ {
+ unregister_fw_pm_ops();
+ unregister_reboot_notifier(&fw_shutdown_nb);
+-#ifdef CONFIG_FW_LOADER_USER_HELPER
+- class_unregister(&firmware_class);
+-#endif
++ unregister_sysfs_loader();
+ }
+
+ fs_initcall(firmware_class_init);
+--
+2.16.3
+
diff --git a/patches.fixes/firmware-share-fw-fallback-killing-on-reboot-suspend.patch b/patches.fixes/firmware-share-fw-fallback-killing-on-reboot-suspend.patch
new file mode 100644
index 0000000000..15299428e3
--- /dev/null
+++ b/patches.fixes/firmware-share-fw-fallback-killing-on-reboot-suspend.patch
@@ -0,0 +1,94 @@
+From c4b768934be613fb882e4e4090946218d76c8e1b Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Date: Tue, 2 May 2017 01:31:03 -0700
+Subject: [PATCH] firmware: share fw fallback killing on reboot/suspend
+Git-commit: c4b768934be613fb882e4e4090946218d76c8e1b
+Patch-mainline: v4.13-rc1
+References: bsc#1085937
+
+We kill pending fallback requests on suspend and reboot,
+the only difference is that on suspend we only kill custom
+fallback requests. Provide a wrapper that lets us customize
+the request with a flag.
+
+This also lets us simplify the #ifdef'ery over the calls.
+
+Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
+---
+ drivers/base/firmware_class.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
+index 900b139668e8..58b661df6d34 100644
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -562,32 +562,29 @@ static void fw_load_abort(struct firmware_priv *fw_priv)
+
+ static LIST_HEAD(pending_fw_head);
+
+-#ifdef CONFIG_PM_SLEEP
+-/* kill pending requests without uevent to avoid blocking suspend */
+-static void kill_requests_without_uevent(void)
++static void kill_pending_fw_fallback_reqs(bool only_kill_custom)
+ {
+ struct firmware_buf *buf;
+ struct firmware_buf *next;
+
+ mutex_lock(&fw_lock);
+ list_for_each_entry_safe(buf, next, &pending_fw_head, pending_list) {
+- if (!buf->need_uevent)
++ if (!buf->need_uevent || !only_kill_custom)
+ __fw_load_abort(buf);
+ }
+ mutex_unlock(&fw_lock);
+ }
+-#endif
+
+ /* reboot notifier for avoid deadlock with usermode_lock */
+ static int fw_shutdown_notify(struct notifier_block *unused1,
+ unsigned long unused2, void *unused3)
+ {
+- mutex_lock(&fw_lock);
+- while (!list_empty(&pending_fw_head))
+- __fw_load_abort(list_first_entry(&pending_fw_head,
+- struct firmware_buf,
+- pending_list));
+- mutex_unlock(&fw_lock);
++ /*
++ * Kill all pending fallback requests to avoid both stalling shutdown,
++ * and avoid a deadlock with the usermode_lock.
++ */
++ kill_pending_fw_fallback_reqs(false);
++
+ return NOTIFY_DONE;
+ }
+
+@@ -1073,9 +1070,7 @@ fw_load_from_user_helper(struct firmware *firmware, const char *name,
+ return -ENOENT;
+ }
+
+-#ifdef CONFIG_PM_SLEEP
+-static inline void kill_requests_without_uevent(void) { }
+-#endif
++static inline void kill_pending_fw_fallback_reqs(bool only_kill_custom) { }
+
+ #endif /* CONFIG_FW_LOADER_USER_HELPER */
+
+@@ -1724,7 +1719,11 @@ static int fw_pm_notify(struct notifier_block *notify_block,
+ case PM_HIBERNATION_PREPARE:
+ case PM_SUSPEND_PREPARE:
+ case PM_RESTORE_PREPARE:
+- kill_requests_without_uevent();
++ /*
++ * kill pending fallback requests with a custom fallback
++ * to avoid stalling suspend.
++ */
++ kill_pending_fw_fallback_reqs(true);
+ device_cache_fw_images();
+ break;
+
+--
+2.16.3
+
diff --git a/patches.fixes/vti-fix-use-after-free-in-vti_tunnel_xmit-vti6_tnl_x.patch b/patches.fixes/vti-fix-use-after-free-in-vti_tunnel_xmit-vti6_tnl_x.patch
index 6749549dde..c5b1fc17aa 100644
--- a/patches.fixes/vti-fix-use-after-free-in-vti_tunnel_xmit-vti6_tnl_x.patch
+++ b/patches.fixes/vti-fix-use-after-free-in-vti_tunnel_xmit-vti6_tnl_x.patch
@@ -3,7 +3,7 @@ Date: Tue, 26 Sep 2017 15:14:29 +0300
Subject: vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
Patch-mainline: v4.14-rc4
Git-commit: 36f6ee22d2d66046e369757ec6bbe1c482957ba6
-References: bsc#1076830
+References: bsc#1076830 networking-stable-17_10_09
When running LTP IPsec tests, KASan might report:
diff --git a/patches.fixes/x86-do-not-reserve-crash-kernel-if-booted-on-xen-pv.patch b/patches.fixes/x86-do-not-reserve-crash-kernel-if-booted-on-xen-pv.patch
new file mode 100644
index 0000000000..6f76fc1256
--- /dev/null
+++ b/patches.fixes/x86-do-not-reserve-crash-kernel-if-booted-on-xen-pv.patch
@@ -0,0 +1,60 @@
+From: Petr Tesarik <ptesarik@suse.cz>
+Date: Wed, 25 Apr 2018 12:08:35 +0200
+Subject: x86/setup: Do not reserve a crash kernel region if booted on Xen PV
+References: bsc#1085626
+Git-commit: 3db3eb285259ac129f7aec6b814b3e9f6c1b372b
+Patch-mainline: v4.17-rc3
+
+Xen PV domains cannot shut down and start a crash kernel. Instead,
+the crashing kernel makes a SCHEDOP_shutdown hypercall with the
+reason code SHUTDOWN_crash, cf. xen_crash_shutdown() machine op in
+arch/x86/xen/enlighten_pv.c.
+
+A crash kernel reservation is merely a waste of RAM in this case. It
+may also confuse users of kexec_load(2) and/or kexec_file_load(2).
+When flags include KEXEC_ON_CRASH or KEXEC_FILE_ON_CRASH,
+respectively, these syscalls return success, which is technically
+correct, but the crash kexec image will never be actually used.
+
+Signed-off-by: Petr Tesarik <ptesarik@suse.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Dou Liyang <douly.fnst@cn.fujitsu.com>
+Cc: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Jean Delvare <jdelvare@suse.de>
+Link: https://lkml.kernel.org/r/20180425120835.23cef60c@ezekiel.suse.cz
+---
+ arch/x86/kernel/setup.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 6285697b6e56..5c623dfe39d1 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -50,6 +50,7 @@
+ #include <linux/init_ohci1394_dma.h>
+ #include <linux/kvm_para.h>
+ #include <linux/dma-contiguous.h>
++#include <xen/xen.h>
+
+ #include <linux/errno.h>
+ #include <linux/kernel.h>
+@@ -534,6 +535,11 @@ static void __init reserve_crashkernel(void)
+ high = true;
+ }
+
++ if (xen_pv_domain()) {
++ pr_info("Ignoring crashkernel for a Xen PV domain\n");
++ return;
++ }
++
+ /* 0 means: find the address automatically */
+ if (crash_base <= 0) {
+ /*
+
diff --git a/patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch b/patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch
new file mode 100644
index 0000000000..afdf67d992
--- /dev/null
+++ b/patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch
@@ -0,0 +1,56 @@
+From: Juergen Gross <jgross@suse.com>
+Date: Tue, 12 Jun 2018 08:57:53 +0200
+Patch-mainline: v4.18-rc1
+Git-commit: 57f230ab04d2910a06d17d988f1c4d7586a59113
+References: bnc#1076049
+Subject: xen/netfront: raise max number of slots in xennet_get_responses()
+
+The max number of slots used in xennet_get_responses() is set to
+MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD).
+
+In old kernel-xen MAX_SKB_FRAGS was 18, while nowadays it is 17. This
+difference is resulting in frequent messages "too many slots" and a
+reduced network throughput for some workloads (factor 10 below that of
+a kernel-xen based guest).
+
+Replacing MAX_SKB_FRAGS by XEN_NETIF_NR_SLOTS_MIN for calculation of
+the max number of slots to use solves that problem (tests showed no
+more messages "too many slots" and throughput was as high as with the
+kernel-xen based guest system).
+
+Replace MAX_SKB_FRAGS-2 by XEN_NETIF_NR_SLOTS_MIN-1 in
+netfront_tx_slot_available() for making it clearer what is really being
+tested without actually modifying the tested value.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/xen-netfront.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 679da1a..922ce0a 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -239,7 +239,7 @@ static void rx_refill_timeout(struct timer_list *t)
+ static int netfront_tx_slot_available(struct netfront_queue *queue)
+ {
+ return (queue->tx.req_prod_pvt - queue->tx.rsp_cons) <
+- (NET_TX_RING_SIZE - MAX_SKB_FRAGS - 2);
++ (NET_TX_RING_SIZE - XEN_NETIF_NR_SLOTS_MIN - 1);
+ }
+
+ static void xennet_maybe_wake_tx(struct netfront_queue *queue)
+@@ -790,7 +790,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
+ RING_IDX cons = queue->rx.rsp_cons;
+ struct sk_buff *skb = xennet_get_rx_skb(queue, cons);
+ grant_ref_t ref = xennet_get_rx_ref(queue, cons);
+- int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD);
++ int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD);
+ int slots = 1;
+ int err = 0;
+ unsigned long ret;
+--
+cgit v1.1
+
diff --git a/patches.kabi/kabi-protect-struct-ipv6_pinfo.patch b/patches.kabi/kabi-protect-struct-ipv6_pinfo.patch
new file mode 100644
index 0000000000..8eeebf9845
--- /dev/null
+++ b/patches.kabi/kabi-protect-struct-ipv6_pinfo.patch
@@ -0,0 +1,34 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect struct ipv6_pinfo
+Patch-mainline: never, kabi
+References: kabi
+
+In networking-stable-17_12_31, commit
+513674b5a2c9c7a67501506419da5c3c77ac6f08 (net: reevalulate autoflowlabel
+setting after sysctl setting) added one bit to a bitmask in struct
+ipv6_pinfo. It made the kABI checker to complain.
+
+Given the bit did not change the structure size and autoflowlabels are
+used in the ipv6 core code only, just hide the change from the kABI
+checker.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/ipv6.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/include/linux/ipv6.h
++++ b/include/linux/ipv6.h
+@@ -255,8 +255,12 @@ struct ipv6_pinfo {
+ * 100: prefer care-of address
+ */
+ dontfrag:1,
++#ifdef __GENKSYMS__
++ autoflowlabel:1;
++#else
+ autoflowlabel:1,
+ autoflowlabel_set:1;
++#endif
+ __u8 min_hopcount;
+ __u8 tclass;
+ __be32 rcv_flowinfo;
diff --git a/patches.kabi/kabi-protect-tap_create_cdev.patch b/patches.kabi/kabi-protect-tap_create_cdev.patch
new file mode 100644
index 0000000000..9a19d36810
--- /dev/null
+++ b/patches.kabi/kabi-protect-tap_create_cdev.patch
@@ -0,0 +1,83 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect tap_create_cdev
+Patch-mainline: never, kabi
+References: kabi
+
+In networking-stable-17_11_14, commit
+dea6e19f4ef746aa18b4c33d1a7fed54356796ed (tap: reference to KVA of an
+unloaded module causes kernel panic) added one parameter to
+tap_create_cdev. This indeed changed the checksum of this exported
+function and the kABI checker now complains.
+
+So leave tap_create_cdev as it was and rename the new one to
+tap_create_cdev4.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ipvlan/ipvtap.c | 2 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/tap.c | 9 ++++++++-
+ include/linux/if_tap.h | 4 +++-
+ 4 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvtap.c
++++ b/drivers/net/ipvlan/ipvtap.c
+@@ -197,7 +197,7 @@ static int ipvtap_init(void)
+ {
+ int err;
+
+- err = tap_create_cdev(&ipvtap_cdev, &ipvtap_major, "ipvtap",
++ err = tap_create_cdev4(&ipvtap_cdev, &ipvtap_major, "ipvtap",
+ THIS_MODULE);
+ if (err)
+ goto out1;
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -204,7 +204,7 @@ static int macvtap_init(void)
+ {
+ int err;
+
+- err = tap_create_cdev(&macvtap_cdev, &macvtap_major, "macvtap",
++ err = tap_create_cdev4(&macvtap_cdev, &macvtap_major, "macvtap",
+ THIS_MODULE);
+ if (err)
+ goto out1;
+--- a/drivers/net/tap.c
++++ b/drivers/net/tap.c
+@@ -1231,7 +1231,7 @@ static int tap_list_add(dev_t major, con
+ return 0;
+ }
+
+-int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
++int tap_create_cdev4(struct cdev *tap_cdev, dev_t *tap_major,
+ const char *device_name, struct module *module)
+ {
+ int err;
+@@ -1259,6 +1259,13 @@ out2:
+ out1:
+ return err;
+ }
++EXPORT_SYMBOL_GPL(tap_create_cdev4);
++
++int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
++ const char *device_name)
++{
++ return tap_create_cdev4(tap_cdev, tap_major, device_name, NULL);
++}
+ EXPORT_SYMBOL_GPL(tap_create_cdev);
+
+ void tap_destroy_cdev(dev_t major, struct cdev *tap_cdev)
+--- a/include/linux/if_tap.h
++++ b/include/linux/if_tap.h
+@@ -68,8 +68,10 @@ void tap_del_queues(struct tap_dev *tap)
+ int tap_get_minor(dev_t major, struct tap_dev *tap);
+ void tap_free_minor(dev_t major, struct tap_dev *tap);
+ int tap_queue_resize(struct tap_dev *tap);
+-int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
++int tap_create_cdev4(struct cdev *tap_cdev, dev_t *tap_major,
+ const char *device_name, struct module *module);
++int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
++ const char *device_name);
+ void tap_destroy_cdev(dev_t major, struct cdev *tap_cdev);
+
+ #endif /*_LINUX_IF_TAP_H_*/
diff --git a/patches.suse/0012-btrfs-allow-backref-search-checks-for-shared-extents.patch b/patches.suse/0012-btrfs-allow-backref-search-checks-for-shared-extents.patch
index a34b4d231b..e4f9ec2f46 100644
--- a/patches.suse/0012-btrfs-allow-backref-search-checks-for-shared-extents.patch
+++ b/patches.suse/0012-btrfs-allow-backref-search-checks-for-shared-extents.patch
@@ -1,7 +1,7 @@
From: Edmund Nadolski <enadolski@suse.com>
Subject: btrfs: allow backref search checks for shared extents
References: bsc#974590 bsc#1030061 bsc#1022914 bsc#1017461
-Git-commit: 9dd14fd6964e6db02346d5f472f915029728b8cf
+Git-commit: 3ec4d3238ab1655ae3f696c412fb3244cd3b58de
Patch-mainline: v4.14-rc1
When called with a struct share_check, find_parent_nodes()
diff --git a/patches.suse/8021q-fix-a-memory-leak-for-VLAN-0-device.patch b/patches.suse/8021q-fix-a-memory-leak-for-VLAN-0-device.patch
new file mode 100644
index 0000000000..cb93968683
--- /dev/null
+++ b/patches.suse/8021q-fix-a-memory-leak-for-VLAN-0-device.patch
@@ -0,0 +1,42 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 9 Jan 2018 13:40:41 -0800
+Subject: 8021q: fix a memory leak for VLAN 0 device
+Git-commit: 78bbb15f2239bc8e663aa20bbe1987c91a0b75f6
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+A vlan device with vid 0 is allow to creat by not able to be fully
+cleaned up by unregister_vlan_dev() which checks for vlan_id!=0.
+
+Also, VLAN 0 is probably not a valid number and it is kinda
+"reserved" for HW accelerating devices, but it is probably too
+late to reject it from creation even if makes sense. Instead,
+just remove the check in unregister_vlan_dev().
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)")
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/8021q/vlan.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -111,12 +111,7 @@ void unregister_vlan_dev(struct net_devi
+ vlan_gvrp_uninit_applicant(real_dev);
+ }
+
+- /* Take it out of our own structures, but be sure to interlock with
+- * HW accelerating devices or SW vlan input packet processing if
+- * VLAN is not 0 (leave it there for 802.1p).
+- */
+- if (vlan_id)
+- vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
++ vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
+
+ /* Get rid of the vlan's reference to real_dev */
+ dev_put(real_dev);
diff --git a/patches.suse/8139too-revisit-napi_complete_done-usage.patch b/patches.suse/8139too-revisit-napi_complete_done-usage.patch
new file mode 100644
index 0000000000..1ab04918bc
--- /dev/null
+++ b/patches.suse/8139too-revisit-napi_complete_done-usage.patch
@@ -0,0 +1,44 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 18 Sep 2017 13:03:43 -0700
+Subject: 8139too: revisit napi_complete_done() usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: 129c6cda2de2a8ac44fab096152469999b727faf
+Patch-mainline: v4.14-rc2
+References: networking-stable-17_10_09
+
+It seems we have to be more careful in napi_complete_done()
+use. This patch is not a revert, as it seems we can
+avoid bug that Ville reported by moving the napi_complete_done()
+test in the spinlock section.
+
+Many thanks to Ville for detective work and all tests.
+
+Fixes: 617f01211baf ("8139too: use napi_complete_done()")
+Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/realtek/8139too.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/8139too.c
++++ b/drivers/net/ethernet/realtek/8139too.c
+@@ -2135,11 +2135,12 @@ static int rtl8139_poll(struct napi_stru
+ if (likely(RTL_R16(IntrStatus) & RxAckBits))
+ work_done += rtl8139_rx(dev, tp, budget);
+
+- if (work_done < budget && napi_complete_done(napi, work_done)) {
++ if (work_done < budget) {
+ unsigned long flags;
+
+ spin_lock_irqsave(&tp->lock, flags);
+- RTL_W16_F(IntrMask, rtl8139_intr_mask);
++ if (napi_complete_done(napi, work_done))
++ RTL_W16_F(IntrMask, rtl8139_intr_mask);
+ spin_unlock_irqrestore(&tp->lock, flags);
+ }
+ spin_unlock(&tp->rx_lock);
diff --git a/patches.suse/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch b/patches.suse/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch
new file mode 100644
index 0000000000..4cbc8593fd
--- /dev/null
+++ b/patches.suse/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch
@@ -0,0 +1,69 @@
+From: Avinash Repaka <avinash.repaka@oracle.com>
+Date: Thu, 21 Dec 2017 20:17:04 -0800
+Subject: RDS: Check cmsg_len before dereferencing CMSG_DATA
+Git-commit: 14e138a86f6347c6199f610576d2e11c03bec5f0
+Patch-mainline: v4.15-rc6
+References: networking-stable-17_12_31
+
+RDS currently doesn't check if the length of the control message is
+large enough to hold the required data, before dereferencing the control
+message data. This results in following crash:
+
+BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
+[inline]
+BUG: KASAN: stack-out-of-bounds in rds_sendmsg+0x1f02/0x1f90
+net/rds/send.c:1066
+Read of size 8 at addr ffff8801c928fb70 by task syzkaller455006/3157
+
+CPU: 0 PID: 3157 Comm: syzkaller455006 Not tainted 4.15.0-rc3+ #161
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x25b/0x340 mm/kasan/report.c:409
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
+ rds_rdma_bytes net/rds/send.c:1013 [inline]
+ rds_sendmsg+0x1f02/0x1f90 net/rds/send.c:1066
+ sock_sendmsg_nosec net/socket.c:628 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:638
+ ___sys_sendmsg+0x320/0x8b0 net/socket.c:2018
+ __sys_sendmmsg+0x1ee/0x620 net/socket.c:2108
+ SYSC_sendmmsg net/socket.c:2139 [inline]
+ SyS_sendmmsg+0x35/0x60 net/socket.c:2134
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+RIP: 0033:0x43fe49
+RSP: 002b:00007fffbe244ad8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe49
+RDX: 0000000000000001 RSI: 000000002020c000 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004017b0
+R13: 0000000000401840 R14: 0000000000000000 R15: 0000000000000000
+
+To fix this, we verify that the cmsg_len is large enough to hold the
+data to be read, before proceeding further.
+
+Reported-by: syzbot <syzkaller-bugs@googlegroups.com>
+Signed-off-by: Avinash Repaka <avinash.repaka@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/rds/send.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -1007,6 +1007,9 @@ static int rds_rdma_bytes(struct msghdr
+ continue;
+
+ if (cmsg->cmsg_type == RDS_CMSG_RDMA_ARGS) {
++ if (cmsg->cmsg_len <
++ CMSG_LEN(sizeof(struct rds_rdma_args)))
++ return -EINVAL;
+ args = CMSG_DATA(cmsg);
+ *rdma_bytes += args->remote_vec.bytes;
+ }
diff --git a/patches.suse/adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch b/patches.suse/adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch
new file mode 100644
index 0000000000..3ee6db4785
--- /dev/null
+++ b/patches.suse/adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch
@@ -0,0 +1,35 @@
+From: "Nikita V. Shirokov" <tehnerd@fb.com>
+Date: Wed, 6 Dec 2017 17:15:43 -0800
+Subject: adding missing rcu_read_unlock in ipxip6_rcv
+Git-commit: 74c4b656c3d92ec4c824ea1a4afd726b7b6568c8
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_31
+
+commit 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels")
+introduced new exit point in ipxip6_rcv. however rcu_read_unlock is
+missing there. this diff is fixing this
+
+v1->v2:
+ instead of doing rcu_read_unlock in place, we are going to "drop"
+ section (to prevent skb leakage)
+
+Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels")
+Signed-off-by: Nikita V. Shirokov <tehnerd@fb.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -912,7 +912,7 @@ static int ipxip6_rcv(struct sk_buff *sk
+ if (t->parms.collect_md) {
+ tun_dst = ipv6_tun_rx_dst(skb, 0, 0, 0);
+ if (!tun_dst)
+- return 0;
++ goto drop;
+ }
+ ret = __ip6_tnl_rcv(t, skb, tpi, tun_dst, dscp_ecn_decapsulate,
+ log_ecn_error);
diff --git a/patches.suse/af_netlink-ensure-that-NLMSG_DONE-never-fails-in-dum.patch b/patches.suse/af_netlink-ensure-that-NLMSG_DONE-never-fails-in-dum.patch
new file mode 100644
index 0000000000..a66b74ec7d
--- /dev/null
+++ b/patches.suse/af_netlink-ensure-that-NLMSG_DONE-never-fails-in-dum.patch
@@ -0,0 +1,111 @@
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 9 Nov 2017 13:04:44 +0900
+Subject: af_netlink: ensure that NLMSG_DONE never fails in dumps
+Git-commit: 0642840b8bb008528dbdf929cec9f65ac4231ad0
+Patch-mainline: v4.15-rc1
+References: networking-stable-17_11_20
+
+The way people generally use netlink_dump is that they fill in the skb
+as much as possible, breaking when nla_put returns an error. Then, they
+get called again and start filling out the next skb, and again, and so
+forth. The mechanism at work here is the ability for the iterative
+dumping function to detect when the skb is filled up and not fill it
+past the brim, waiting for a fresh skb for the rest of the data.
+
+However, if the attributes are small and nicely packed, it is possible
+that a dump callback function successfully fills in attributes until the
+skb is of size 4080 (libmnl's default page-sized receive buffer size).
+The dump function completes, satisfied, and then, if it happens to be
+that this is actually the last skb, and no further ones are to be sent,
+then netlink_dump will add on the NLMSG_DONE part:
+
+ nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
+
+It is very important that netlink_dump does this, of course. However, in
+this example, that call to nlmsg_put_answer will fail, because the
+previous filling by the dump function did not leave it enough room. And
+how could it possibly have done so? All of the nla_put variety of
+functions simply check to see if the skb has enough tailroom,
+independent of the context it is in.
+
+In order to keep the important assumptions of all netlink dump users, it
+is therefore important to give them an skb that has this end part of the
+tail already reserved, so that the call to nlmsg_put_answer does not
+fail. Otherwise, library authors are forced to find some bizarre sized
+receive buffer that has a large modulo relative to the common sizes of
+messages received, which is ugly and buggy.
+
+This patch thus saves the NLMSG_DONE for an additional message, for the
+case that things are dangerously close to the brim. This requires
+keeping track of the errno from ->dump() across calls.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/netlink/af_netlink.c | 17 +++++++++++------
+ net/netlink/af_netlink.h | 1 +
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2128,7 +2128,7 @@ static int netlink_dump(struct sock *sk)
+ struct sk_buff *skb = NULL;
+ struct nlmsghdr *nlh;
+ struct module *module;
+- int len, err = -ENOBUFS;
++ int err = -ENOBUFS;
+ int alloc_min_size;
+ int alloc_size;
+
+@@ -2175,9 +2175,11 @@ static int netlink_dump(struct sock *sk)
+ skb_reserve(skb, skb_tailroom(skb) - alloc_size);
+ netlink_skb_set_owner_r(skb, sk);
+
+- len = cb->dump(skb, cb);
++ if (nlk->dump_done_errno > 0)
++ nlk->dump_done_errno = cb->dump(skb, cb);
+
+- if (len > 0) {
++ if (nlk->dump_done_errno > 0 ||
++ skb_tailroom(skb) < nlmsg_total_size(sizeof(nlk->dump_done_errno))) {
+ mutex_unlock(nlk->cb_mutex);
+
+ if (sk_filter(sk, skb))
+@@ -2187,13 +2189,15 @@ static int netlink_dump(struct sock *sk)
+ return 0;
+ }
+
+- nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
+- if (!nlh)
++ nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE,
++ sizeof(nlk->dump_done_errno), NLM_F_MULTI);
++ if (WARN_ON(!nlh))
+ goto errout_skb;
+
+ nl_dump_check_consistent(cb, nlh);
+
+- memcpy(nlmsg_data(nlh), &len, sizeof(len));
++ memcpy(nlmsg_data(nlh), &nlk->dump_done_errno,
++ sizeof(nlk->dump_done_errno));
+
+ if (sk_filter(sk, skb))
+ kfree_skb(skb);
+@@ -2265,6 +2269,7 @@ int __netlink_dump_start(struct sock *ss
+ }
+
+ nlk->cb_running = true;
++ nlk->dump_done_errno = INT_MAX;
+
+ mutex_unlock(nlk->cb_mutex);
+
+--- a/net/netlink/af_netlink.h
++++ b/net/netlink/af_netlink.h
+@@ -33,6 +33,7 @@ struct netlink_sock {
+ wait_queue_head_t wait;
+ bool bound;
+ bool cb_running;
++ int dump_done_errno;
+ struct netlink_callback cb;
+ struct mutex *cb_mutex;
+ struct mutex cb_def_mutex;
diff --git a/patches.suse/bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch b/patches.suse/bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch
new file mode 100644
index 0000000000..fcb4b99ef0
--- /dev/null
+++ b/patches.suse/bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch
@@ -0,0 +1,42 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 6 Nov 2017 09:01:57 +0800
+Subject: bonding: discard lowest hash bit for 802.3ad layer3+4
+Git-commit: b5f862180d7011d9575d0499fa37f0f25b423b12
+Patch-mainline: v4.14
+References: networking-stable-17_11_20
+
+After commit 07f4c90062f8 ("tcp/dccp: try to not exhaust ip_local_port_range
+in connect()"), we will try to use even ports for connect(). Then if an
+application (seen clearly with iperf) opens multiple streams to the same
+destination IP and port, each stream will be given an even source port.
+
+So the bonding driver's simple xmit_hash_policy based on layer3+4 addressing
+will always hash all these streams to the same interface. And the total
+throughput will limited to a single slave.
+
+Change the tcp code will impact the whole tcp behavior, only for bonding
+usage. Paolo Abeni suggested fix this by changing the bonding code only,
+which should be more reasonable, and less impact.
+
+Fix this by discarding the lowest hash bit because it contains little entropy.
+After the fix we can re-balance between slaves.
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3250,7 +3250,7 @@ u32 bond_xmit_hash(struct bonding *bond,
+ hash ^= (hash >> 16);
+ hash ^= (hash >> 8);
+
+- return hash;
++ return hash >> 1;
+ }
+
+ /*-------------------------- Device entry points ----------------------------*/
diff --git a/patches.suse/ethtool-do-not-print-warning-for-applications-using-.patch b/patches.suse/ethtool-do-not-print-warning-for-applications-using-.patch
new file mode 100644
index 0000000000..5b4da5bbc2
--- /dev/null
+++ b/patches.suse/ethtool-do-not-print-warning-for-applications-using-.patch
@@ -0,0 +1,60 @@
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 29 Dec 2017 10:02:52 -0800
+Subject: ethtool: do not print warning for applications using legacy API
+Git-commit: 71891e2dab6b55a870f8f7735e44a2963860b5c6
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+In kernel log ths message appears on every boot:
+ "warning: `NetworkChangeNo' uses legacy ethtool link settings API,
+ link modes are only partially reported"
+
+When ethtool link settings API changed, it started complaining about
+usages of old API. Ironically, the original patch was from google but
+the application using the legacy API is chrome.
+
+Linux ABI is fixed as much as possible. The kernel must not break it
+and should not complain about applications using legacy API's.
+This patch just removes the warning since using legacy API's
+in Linux is perfectly acceptable.
+
+Fixes: 3f1ac7a700d0 ("net: ethtool: add new ETHTOOL_xLINKSETTINGS API")
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David Decotigny <decot@googlers.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/ethtool.c | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -754,15 +754,6 @@ static int ethtool_set_link_ksettings(st
+ return dev->ethtool_ops->set_link_ksettings(dev, &link_ksettings);
+ }
+
+-static void
+-warn_incomplete_ethtool_legacy_settings_conversion(const char *details)
+-{
+- char name[sizeof(current->comm)];
+-
+- pr_info_once("warning: `%s' uses legacy ethtool link settings API, %s\n",
+- get_task_comm(name, current), details);
+-}
+-
+ /* Query device for its ethtool_cmd settings.
+ *
+ * Backward compatibility note: for compatibility with legacy ethtool,
+@@ -789,10 +780,8 @@ static int ethtool_get_settings(struct n
+ &link_ksettings);
+ if (err < 0)
+ return err;
+- if (!convert_link_ksettings_to_legacy_settings(&cmd,
+- &link_ksettings))
+- warn_incomplete_ethtool_legacy_settings_conversion(
+- "link modes are only partially reported");
++ convert_link_ksettings_to_legacy_settings(&cmd,
++ &link_ksettings);
+
+ /* send a sensible cmd tag back to user */
+ cmd.cmd = ETHTOOL_GSET;
diff --git a/patches.suse/fealnx-Fix-building-error-on-MIPS.patch b/patches.suse/fealnx-Fix-building-error-on-MIPS.patch
new file mode 100644
index 0000000000..0bc44bc2f6
--- /dev/null
+++ b/patches.suse/fealnx-Fix-building-error-on-MIPS.patch
@@ -0,0 +1,40 @@
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 16 Nov 2017 11:07:15 +0800
+Subject: fealnx: Fix building error on MIPS
+Git-commit: cc54c1d32e6a4bb3f116721abf900513173e4d02
+Patch-mainline: v4.15-rc1
+References: networking-stable-17_11_20
+
+This patch try to fix the building error on MIPS. The reason is MIPS
+has already defined the LONG macro, which conflicts with the LONG enum
+in drivers/net/ethernet/fealnx.c.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/fealnx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/fealnx.c
++++ b/drivers/net/ethernet/fealnx.c
+@@ -257,8 +257,8 @@ enum rx_desc_status_bits {
+ RXFSD = 0x00000800, /* first descriptor */
+ RXLSD = 0x00000400, /* last descriptor */
+ ErrorSummary = 0x80, /* error summary */
+- RUNT = 0x40, /* runt packet received */
+- LONG = 0x20, /* long packet received */
++ RUNTPKT = 0x40, /* runt packet received */
++ LONGPKT = 0x20, /* long packet received */
+ FAE = 0x10, /* frame align error */
+ CRC = 0x08, /* crc error */
+ RXER = 0x04, /* receive error */
+@@ -1632,7 +1632,7 @@ static int netdev_rx(struct net_device *
+ dev->name, rx_status);
+
+ dev->stats.rx_errors++; /* end of a packet. */
+- if (rx_status & (LONG | RUNT))
++ if (rx_status & (LONGPKT | RUNTPKT))
+ dev->stats.rx_length_errors++;
+ if (rx_status & RXER)
+ dev->stats.rx_frame_errors++;
diff --git a/patches.suse/ip6_gre-fix-device-features-for-ioctl-setup.patch b/patches.suse/ip6_gre-fix-device-features-for-ioctl-setup.patch
new file mode 100644
index 0000000000..5f247139b1
--- /dev/null
+++ b/patches.suse/ip6_gre-fix-device-features-for-ioctl-setup.patch
@@ -0,0 +1,137 @@
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Wed, 20 Dec 2017 19:36:03 +0300
+Subject: ip6_gre: fix device features for ioctl setup
+Git-commit: e5a9336adb317db55eb3fe8200856096f3c71109
+Patch-mainline: v4.15-rc6
+References: networking-stable-17_12_31
+
+When ip6gre is created using ioctl, its features, such as
+scatter-gather, GSO and tx-checksumming will be turned off:
+
+ # ip -f inet6 tunnel add gre6 mode ip6gre remote fd00::1
+ # ethtool -k gre6 (truncated output)
+ tx-checksumming: off
+ scatter-gather: off
+ tcp-segmentation-offload: off
+ generic-segmentation-offload: off [requested on]
+
+But when netlink is used, they will be enabled:
+ # ip link add gre6 type ip6gre remote fd00::1
+ # ethtool -k gre6 (truncated output)
+ tx-checksumming: on
+ scatter-gather: on
+ tcp-segmentation-offload: on
+ generic-segmentation-offload: on
+
+This results in a loss of performance when gre6 is created via ioctl.
+The issue was found with LTP/gre tests.
+
+Fix it by moving the setup of device features to a separate function
+and invoke it with ndo_init callback because both netlink and ioctl
+will eventually call it via register_netdevice():
+
+ register_netdevice()
+ - ndo_init() callback -> ip6gre_tunnel_init() or ip6gre_tap_init()
+ - ip6gre_tunnel_init_common()
+ - ip6gre_tnl_init_features()
+
+The moved code also contains two minor style fixes:
+ * removed needless tab from GRE6_FEATURES on NETIF_F_HIGHDMA line.
+ * fixed the issue reported by checkpatch: "Unnecessary parentheses around
+ 'nt->encap.type == TUNNEL_ENCAP_NONE'"
+
+Fixes: ac4eb009e477 ("ip6gre: Add support for basic offloads offloads excluding GSO")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_gre.c | 57 +++++++++++++++++++++++++++++------------------------
+ 1 file changed, 32 insertions(+), 25 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1020,6 +1020,36 @@ static void ip6gre_tunnel_setup(struct n
+ eth_random_addr(dev->perm_addr);
+ }
+
++#define GRE6_FEATURES (NETIF_F_SG | \
++ NETIF_F_FRAGLIST | \
++ NETIF_F_HIGHDMA | \
++ NETIF_F_HW_CSUM)
++
++static void ip6gre_tnl_init_features(struct net_device *dev)
++{
++ struct ip6_tnl *nt = netdev_priv(dev);
++
++ dev->features |= GRE6_FEATURES;
++ dev->hw_features |= GRE6_FEATURES;
++
++ if (!(nt->parms.o_flags & TUNNEL_SEQ)) {
++ /* TCP offload with GRE SEQ is not supported, nor
++ * can we support 2 levels of outer headers requiring
++ * an update.
++ */
++ if (!(nt->parms.o_flags & TUNNEL_CSUM) ||
++ nt->encap.type == TUNNEL_ENCAP_NONE) {
++ dev->features |= NETIF_F_GSO_SOFTWARE;
++ dev->hw_features |= NETIF_F_GSO_SOFTWARE;
++ }
++
++ /* Can use a lockless transmit, unless we generate
++ * output sequences
++ */
++ dev->features |= NETIF_F_LLTX;
++ }
++}
++
+ static int ip6gre_tunnel_init_common(struct net_device *dev)
+ {
+ struct ip6_tnl *tunnel;
+@@ -1054,6 +1084,8 @@ static int ip6gre_tunnel_init_common(str
+ if (!(tunnel->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
+ dev->mtu -= 8;
+
++ ip6gre_tnl_init_features(dev);
++
+ return 0;
+ }
+
+@@ -1300,11 +1332,6 @@ static const struct net_device_ops ip6gr
+ .ndo_get_iflink = ip6_tnl_get_iflink,
+ };
+
+-#define GRE6_FEATURES (NETIF_F_SG | \
+- NETIF_F_FRAGLIST | \
+- NETIF_F_HIGHDMA | \
+- NETIF_F_HW_CSUM)
+-
+ static void ip6gre_tap_setup(struct net_device *dev)
+ {
+
+@@ -1385,26 +1412,6 @@ static int ip6gre_newlink(struct net *sr
+ nt->net = dev_net(dev);
+ ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
+
+- dev->features |= GRE6_FEATURES;
+- dev->hw_features |= GRE6_FEATURES;
+-
+- if (!(nt->parms.o_flags & TUNNEL_SEQ)) {
+- /* TCP offload with GRE SEQ is not supported, nor
+- * can we support 2 levels of outer headers requiring
+- * an update.
+- */
+- if (!(nt->parms.o_flags & TUNNEL_CSUM) ||
+- (nt->encap.type == TUNNEL_ENCAP_NONE)) {
+- dev->features |= NETIF_F_GSO_SOFTWARE;
+- dev->hw_features |= NETIF_F_GSO_SOFTWARE;
+- }
+-
+- /* Can use a lockless transmit, unless we generate
+- * output sequences
+- */
+- dev->features |= NETIF_F_LLTX;
+- }
+-
+ err = register_netdevice(dev);
+ if (err)
+ goto out;
diff --git a/patches.suse/ip6_gre-ip6gre_tap-device-should-keep-dst.patch b/patches.suse/ip6_gre-ip6gre_tap-device-should-keep-dst.patch
new file mode 100644
index 0000000000..572333b7ff
--- /dev/null
+++ b/patches.suse/ip6_gre-ip6gre_tap-device-should-keep-dst.patch
@@ -0,0 +1,29 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 28 Sep 2017 13:23:50 +0800
+Subject: ip6_gre: ip6gre_tap device should keep dst
+Git-commit: 2d40557cc702ed8e5edd9bd422233f86652d932e
+Patch-mainline: v4.14-rc4
+References: networking-stable-17_10_09
+
+The patch 'ip_gre: ipgre_tap device should keep dst' fixed
+a issue that ipgre_tap mtu couldn't be updated in tx path.
+
+The same fix is needed for ip6gre_tap as well.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_gre.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1309,6 +1309,7 @@ static void ip6gre_tap_setup(struct net_
+ dev->features |= NETIF_F_NETNS_LOCAL;
+ dev->priv_flags &= ~IFF_TX_SKB_SHARING;
+ dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
++ netif_keep_dst(dev);
+ }
+
+ static bool ip6gre_netlink_encap_parms(struct nlattr *data[],
diff --git a/patches.suse/ip6_gre-only-increase-err_count-for-some-certain-typ.patch b/patches.suse/ip6_gre-only-increase-err_count-for-some-certain-typ.patch
new file mode 100644
index 0000000000..b9c6dc30eb
--- /dev/null
+++ b/patches.suse/ip6_gre-only-increase-err_count-for-some-certain-typ.patch
@@ -0,0 +1,62 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 26 Oct 2017 19:23:27 +0800
+Subject: ip6_gre: only increase err_count for some certain type icmpv6 in
+ ip6gre_err
+Git-commit: f8d20b46ce55cf40afb30dcef6d9288f7ef46d9b
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+The similar fix in patch 'ipip: only increase err_count for some
+certain type icmp in ipip_err' is needed for ip6gre_err.
+
+In Jianlin's case, udp netperf broke even when receiving a TooBig
+icmpv6 packet.
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_gre.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -408,13 +408,16 @@ static void ip6gre_err(struct sk_buff *s
+ case ICMPV6_DEST_UNREACH:
+ net_dbg_ratelimited("%s: Path to destination invalid or inactive!\n",
+ t->parms.name);
+- break;
++ if (code != ICMPV6_PORT_UNREACH)
++ break;
++ return;
+ case ICMPV6_TIME_EXCEED:
+ if (code == ICMPV6_EXC_HOPLIMIT) {
+ net_dbg_ratelimited("%s: Too small hop limit or routing loop in tunnel!\n",
+ t->parms.name);
++ break;
+ }
+- break;
++ return;
+ case ICMPV6_PARAMPROB:
+ teli = 0;
+ if (code == ICMPV6_HDR_FIELD)
+@@ -430,7 +433,7 @@ static void ip6gre_err(struct sk_buff *s
+ net_dbg_ratelimited("%s: Recipient unable to parse tunneled packet!\n",
+ t->parms.name);
+ }
+- break;
++ return;
+ case ICMPV6_PKT_TOOBIG:
+ mtu = be32_to_cpu(info) - offset - t->tun_hlen;
+ if (t->dev->type == ARPHRD_ETHER)
+@@ -438,7 +441,7 @@ static void ip6gre_err(struct sk_buff *s
+ if (mtu < IPV6_MIN_MTU)
+ mtu = IPV6_MIN_MTU;
+ t->dev->mtu = mtu;
+- break;
++ return;
+ }
+
+ if (time_before(jiffies, t->err_time + IP6TUNNEL_ERR_TIMEO))
diff --git a/patches.suse/ip6_gre-skb_push-ipv6hdr-before-packing-the-header-i.patch b/patches.suse/ip6_gre-skb_push-ipv6hdr-before-packing-the-header-i.patch
new file mode 100644
index 0000000000..afd0d1350d
--- /dev/null
+++ b/patches.suse/ip6_gre-skb_push-ipv6hdr-before-packing-the-header-i.patch
@@ -0,0 +1,73 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 15 Sep 2017 12:00:07 +0800
+Subject: ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
+Git-commit: 76cc0d3282d4b933fa144fa41fbc5318e0fdca24
+Patch-mainline: v4.14-rc2
+References: networking-stable-17_10_09
+
+Now in ip6gre_header before packing the ipv6 header, it skb_push t->hlen
+which only includes encap_hlen + tun_hlen. It means greh and inner header
+would be over written by ipv6 stuff and ipv6h might have no chance to set
+up.
+
+Jianlin found this issue when using remote any on ip6_gre, the packets he
+captured on gre dev are truncated:
+
+22:50:26.210866 Out ethertype IPv6 (0x86dd), length 120: truncated-ip6 -\
+8128 bytes missing!(flowlabel 0x92f40, hlim 0, next-header Options (0) \
+payload length: 8192) ::1:2000:0 > ::1:0:86dd: HBH [trunc] ip-proto-128 \
+8184
+
+It should also skb_push ipv6hdr so that ipv6h points to the right position
+to set ipv6 stuff up.
+
+This patch is to skb_push hlen + sizeof(*ipv6h) and also fix some indents
+in ip6gre_header.
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_gre.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -940,24 +940,25 @@ done:
+ }
+
+ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
+- unsigned short type,
+- const void *daddr, const void *saddr, unsigned int len)
++ unsigned short type, const void *daddr,
++ const void *saddr, unsigned int len)
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+- struct ipv6hdr *ipv6h = skb_push(skb, t->hlen);
+- __be16 *p = (__be16 *)(ipv6h+1);
++ struct ipv6hdr *ipv6h;
++ __be16 *p;
+
+- ip6_flow_hdr(ipv6h, 0,
+- ip6_make_flowlabel(dev_net(dev), skb,
+- t->fl.u.ip6.flowlabel, true,
+- &t->fl.u.ip6));
++ ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
++ ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
++ t->fl.u.ip6.flowlabel,
++ true, &t->fl.u.ip6));
+ ipv6h->hop_limit = t->parms.hop_limit;
+ ipv6h->nexthdr = NEXTHDR_GRE;
+ ipv6h->saddr = t->parms.laddr;
+ ipv6h->daddr = t->parms.raddr;
+
+- p[0] = t->parms.o_flags;
+- p[1] = htons(type);
++ p = (__be16 *)(ipv6h + 1);
++ p[0] = t->parms.o_flags;
++ p[1] = htons(type);
+
+ /*
+ * Set the source hardware address.
diff --git a/patches.suse/ip6_gre-update-dst-pmtu-if-dev-mtu-has-been-updated-.patch b/patches.suse/ip6_gre-update-dst-pmtu-if-dev-mtu-has-been-updated-.patch
new file mode 100644
index 0000000000..601e29a723
--- /dev/null
+++ b/patches.suse/ip6_gre-update-dst-pmtu-if-dev-mtu-has-been-updated-.patch
@@ -0,0 +1,66 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 26 Oct 2017 19:27:17 +0800
+Subject: ip6_gre: update dst pmtu if dev mtu has been updated by toobig in
+ __gre6_xmit
+Git-commit: 8aec4959d832bae0889a8e2f348973b5e4abffef
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+When receiving a Toobig icmpv6 packet, ip6gre_err would just set
+tunnel dev's mtu, that's not enough. For skb_dst(skb)'s pmtu may
+still be using the old value, it has no chance to be updated with
+tunnel dev's mtu.
+
+Jianlin found this issue by reducing route's mtu while running
+netperf, the performance went to 0.
+
+ip6ip6 and ip4ip6 tunnel can work well with this, as they lookup
+the upper dst and update_pmtu it's pmtu or icmpv6_send a Toobig
+to upper socket after setting tunnel dev's mtu.
+
+We couldn't do that for ip6_gre, as gre's inner packet could be
+any protocol, it's difficult to handle them (like lookup upper
+dst) in a good way.
+
+So this patch is to fix it by updating skb_dst(skb)'s pmtu when
+dev->mtu < skb_dst(skb)'s pmtu in tx path. It's safe to do this
+update there, as usually dev->mtu <= skb_dst(skb)'s pmtu and no
+performance regression can be caused by this.
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_gre.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -503,8 +503,8 @@ static netdev_tx_t __gre6_xmit(struct sk
+ __u32 *pmtu, __be16 proto)
+ {
+ struct ip6_tnl *tunnel = netdev_priv(dev);
+- __be16 protocol = (dev->type == ARPHRD_ETHER) ?
+- htons(ETH_P_TEB) : proto;
++ struct dst_entry *dst = skb_dst(skb);
++ __be16 protocol;
+
+ if (dev->type == ARPHRD_ETHER)
+ IPCB(skb)->flags = 0;
+@@ -518,9 +518,14 @@ static netdev_tx_t __gre6_xmit(struct sk
+ tunnel->o_seqno++;
+
+ /* Push GRE header. */
++ protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto;
+ gre_build_header(skb, tunnel->tun_hlen, tunnel->parms.o_flags,
+ protocol, tunnel->parms.o_key, htonl(tunnel->o_seqno));
+
++ /* TooBig packet may have updated dst->dev's mtu */
++ if (dst && dst_mtu(dst) > dst->dev->mtu)
++ dst->ops->update_pmtu(dst, NULL, skb, dst->dev->mtu);
++
+ return ip6_tnl_xmit(skb, dev, dsfield, fl6, encap_limit, pmtu,
+ NEXTHDR_GRE);
+ }
diff --git a/patches.suse/ip6_tunnel-disable-dst-caching-if-tunnel-is-dual-sta.patch b/patches.suse/ip6_tunnel-disable-dst-caching-if-tunnel-is-dual-sta.patch
new file mode 100644
index 0000000000..332dcac388
--- /dev/null
+++ b/patches.suse/ip6_tunnel-disable-dst-caching-if-tunnel-is-dual-sta.patch
@@ -0,0 +1,39 @@
+From: Eli Cooper <elicooper@gmx.com>
+Date: Mon, 25 Dec 2017 10:43:49 +0800
+Subject: ip6_tunnel: disable dst caching if tunnel is dual-stack
+Git-commit: 23263ec86a5f44312d2899323872468752324107
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+When an ip6_tunnel is in mode 'any', where the transport layer
+protocol can be either 4 or 41, dst_cache must be disabled.
+
+This is because xfrm policies might apply to only one of the two
+protocols. Caching dst would cause xfrm policies for one protocol
+incorrectly used for the other.
+
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_tunnel.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1081,10 +1081,11 @@ int ip6_tnl_xmit(struct sk_buff *skb, st
+ memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
+ neigh_release(neigh);
+ }
+- } else if (!(t->parms.flags &
+- (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
+- /* enable the cache only only if the routing decision does
+- * not depend on the current inner header value
++ } else if (t->parms.proto != 0 && !(t->parms.flags &
++ (IP6_TNL_F_USE_ORIG_TCLASS |
++ IP6_TNL_F_USE_ORIG_FWMARK))) {
++ /* enable the cache only if neither the outer protocol nor the
++ * routing decision depends on the current inner header value
+ */
+ use_cache = true;
+ }
diff --git a/patches.suse/ip6_tunnel-do-not-allow-loading-ip6_tunnel-if-ipv6-i.patch b/patches.suse/ip6_tunnel-do-not-allow-loading-ip6_tunnel-if-ipv6-i.patch
new file mode 100644
index 0000000000..5bd69f6195
--- /dev/null
+++ b/patches.suse/ip6_tunnel-do-not-allow-loading-ip6_tunnel-if-ipv6-i.patch
@@ -0,0 +1,59 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 15 Sep 2017 15:58:33 +0800
+Subject: ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in
+ cmdline
+Git-commit: 8c22dab03ad072e45060c299c70d02a4f6fc4aab
+Patch-mainline: v4.14-rc2
+References: networking-stable-17_10_09
+
+If ipv6 has been disabled from cmdline since kernel started, it makes
+no sense to allow users to create any ip6 tunnel. Otherwise, it could
+some potential problem.
+
+Jianlin found a kernel crash caused by this in ip6_gre when he set
+ipv6.disable=1 in grub:
+
+[ 209.588865] Unable to handle kernel paging request for data at address 0x00000080
+[ 209.588872] Faulting instruction address: 0xc000000000a3aa6c
+[ 209.588879] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 209.589062] NIP [c000000000a3aa6c] fib_rules_lookup+0x4c/0x260
+[ 209.589071] LR [c000000000b9ad90] fib6_rule_lookup+0x50/0xb0
+[ 209.589076] Call Trace:
+[ 209.589097] fib6_rule_lookup+0x50/0xb0
+[ 209.589106] rt6_lookup+0xc4/0x110
+[ 209.589116] ip6gre_tnl_link_config+0x214/0x2f0 [ip6_gre]
+[ 209.589125] ip6gre_newlink+0x138/0x3a0 [ip6_gre]
+[ 209.589134] rtnl_newlink+0x798/0xb80
+[ 209.589142] rtnetlink_rcv_msg+0xec/0x390
+[ 209.589151] netlink_rcv_skb+0x138/0x150
+[ 209.589159] rtnetlink_rcv+0x48/0x70
+[ 209.589169] netlink_unicast+0x538/0x640
+[ 209.589175] netlink_sendmsg+0x40c/0x480
+[ 209.589184] ___sys_sendmsg+0x384/0x4e0
+[ 209.589194] SyS_sendmsg+0xd4/0x140
+[ 209.589201] SyS_socketcall+0x3e0/0x4f0
+[ 209.589209] system_call+0x38/0xe0
+
+This patch is to return -EOPNOTSUPP in ip6_tunnel_init if ipv6 has been
+disabled from cmdline.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_tunnel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -2257,6 +2257,9 @@ static int __init ip6_tunnel_init(void)
+ {
+ int err;
+
++ if (!ipv6_mod_enabled())
++ return -EOPNOTSUPP;
++
+ err = register_pernet_device(&ip6_tnl_net_ops);
+ if (err < 0)
+ goto out_pernet;
diff --git a/patches.suse/ip6_tunnel-update-mtu-properly-for-ARPHRD_ETHER-tunn.patch b/patches.suse/ip6_tunnel-update-mtu-properly-for-ARPHRD_ETHER-tunn.patch
new file mode 100644
index 0000000000..3ffd2cf7e1
--- /dev/null
+++ b/patches.suse/ip6_tunnel-update-mtu-properly-for-ARPHRD_ETHER-tunn.patch
@@ -0,0 +1,47 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 28 Sep 2017 13:24:07 +0800
+Subject: ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx
+ path
+Git-commit: d41bb33ba33b8f8debe54ed36be6925eb496e354
+Patch-mainline: v4.14-rc4
+References: networking-stable-17_10_09
+
+Now when updating mtu in tx path, it doesn't consider ARPHRD_ETHER tunnel
+device, like ip6gre_tap tunnel, for which it should also subtract ether
+header to get the correct mtu.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_tunnel.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1043,6 +1043,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, st
+ struct dst_entry *dst = NULL, *ndst = NULL;
+ struct net_device *tdev;
+ int mtu;
++ unsigned int eth_hlen = t->dev->type == ARPHRD_ETHER ? ETH_HLEN : 0;
+ unsigned int psh_hlen = sizeof(struct ipv6hdr) + t->encap_hlen;
+ unsigned int max_headroom = psh_hlen;
+ bool use_cache = false;
+@@ -1124,7 +1125,7 @@ route_lookup:
+ t->parms.name);
+ goto tx_err_dst_release;
+ }
+- mtu = dst_mtu(dst) - psh_hlen - t->tun_hlen;
++ mtu = dst_mtu(dst) - eth_hlen - psh_hlen - t->tun_hlen;
+ if (encap_limit >= 0) {
+ max_headroom += 8;
+ mtu -= 8;
+@@ -1133,7 +1134,7 @@ route_lookup:
+ mtu = IPV6_MIN_MTU;
+ if (skb_dst(skb) && !t->parms.collect_md)
+ skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
+- if (skb->len - t->tun_hlen > mtu && !skb_is_gso(skb)) {
++ if (skb->len - t->tun_hlen - eth_hlen > mtu && !skb_is_gso(skb)) {
+ *pmtu = mtu;
+ err = -EMSGSIZE;
+ goto tx_err_dst_release;
diff --git a/patches.suse/ipip-only-increase-err_count-for-some-certain-type-i.patch b/patches.suse/ipip-only-increase-err_count-for-some-certain-type-i.patch
new file mode 100644
index 0000000000..6e27d17d08
--- /dev/null
+++ b/patches.suse/ipip-only-increase-err_count-for-some-certain-type-i.patch
@@ -0,0 +1,125 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 26 Oct 2017 19:19:56 +0800
+Subject: ipip: only increase err_count for some certain type icmp in ipip_err
+Git-commit: f3594f0a7ea36661d7fd942facd7f31a64245f1a
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+t->err_count is used to count the link failure on tunnel and an err
+will be reported to user socket in tx path if t->err_count is not 0.
+udp socket could even return EHOSTUNREACH to users.
+
+Since commit fd58156e456d ("IPIP: Use ip-tunneling code.") removed
+the 'switch check' for icmp type in ipip_err(), err_count would be
+increased by the icmp packet with ICMP_EXC_FRAGTIME code. an link
+failure would be reported out due to this.
+
+In Jianlin's case, when receiving ICMP_EXC_FRAGTIME a icmp packet,
+udp netperf failed with the err:
+ send_data: data send error: No route to host (errno 113)
+
+We expect this error reported from tunnel to socket when receiving
+some certain type icmp, but not ICMP_EXC_FRAGTIME, ICMP_SR_FAILED
+or ICMP_PARAMETERPROB ones.
+
+This patch is to bring 'switch check' for icmp type back to ipip_err
+so that it only reports link failure for the right type icmp, just as
+in ipgre_err() and ipip6_err().
+
+Fixes: fd58156e456d ("IPIP: Use ip-tunneling code.")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/ipip.c | 59 +++++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 42 insertions(+), 17 deletions(-)
+
+--- a/net/ipv4/ipip.c
++++ b/net/ipv4/ipip.c
+@@ -128,43 +128,68 @@ static struct rtnl_link_ops ipip_link_op
+
+ static int ipip_err(struct sk_buff *skb, u32 info)
+ {
+-
+-/* All the routers (except for Linux) return only
+- 8 bytes of packet payload. It means, that precise relaying of
+- ICMP in the real Internet is absolutely infeasible.
+- */
++ /* All the routers (except for Linux) return only
++ * 8 bytes of packet payload. It means, that precise relaying of
++ * ICMP in the real Internet is absolutely infeasible.
++ */
+ struct net *net = dev_net(skb->dev);
+ struct ip_tunnel_net *itn = net_generic(net, ipip_net_id);
+ const struct iphdr *iph = (const struct iphdr *)skb->data;
+- struct ip_tunnel *t;
+- int err;
+ const int type = icmp_hdr(skb)->type;
+ const int code = icmp_hdr(skb)->code;
++ struct ip_tunnel *t;
++ int err = 0;
++
++ switch (type) {
++ case ICMP_DEST_UNREACH:
++ switch (code) {
++ case ICMP_SR_FAILED:
++ /* Impossible event. */
++ goto out;
++ default:
++ /* All others are translated to HOST_UNREACH.
++ * rfc2003 contains "deep thoughts" about NET_UNREACH,
++ * I believe they are just ether pollution. --ANK
++ */
++ break;
++ }
++ break;
++
++ case ICMP_TIME_EXCEEDED:
++ if (code != ICMP_EXC_TTL)
++ goto out;
++ break;
++
++ case ICMP_REDIRECT:
++ break;
++
++ default:
++ goto out;
++ }
+
+- err = -ENOENT;
+ t = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
+ iph->daddr, iph->saddr, 0);
+- if (!t)
++ if (!t) {
++ err = -ENOENT;
+ goto out;
++ }
+
+ if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
+- ipv4_update_pmtu(skb, dev_net(skb->dev), info,
+- t->parms.link, 0, iph->protocol, 0);
+- err = 0;
++ ipv4_update_pmtu(skb, net, info, t->parms.link, 0,
++ iph->protocol, 0);
+ goto out;
+ }
+
+ if (type == ICMP_REDIRECT) {
+- ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
+- iph->protocol, 0);
+- err = 0;
++ ipv4_redirect(skb, net, t->parms.link, 0, iph->protocol, 0);
+ goto out;
+ }
+
+- if (t->parms.iph.daddr == 0)
++ if (t->parms.iph.daddr == 0) {
++ err = -ENOENT;
+ goto out;
++ }
+
+- err = 0;
+ if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
+ goto out;
+
diff --git a/patches.suse/ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch b/patches.suse/ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch
new file mode 100644
index 0000000000..251ebbec90
--- /dev/null
+++ b/patches.suse/ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch
@@ -0,0 +1,56 @@
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Wed, 20 Dec 2017 19:34:19 +0200
+Subject: ipv4: Fix use-after-free when flushing FIB tables
+Git-commit: b4681c2829e24943aadd1a7bb3a30d41d0a20050
+Patch-mainline: v4.15-rc5
+References: networking-stable-17_12_31
+
+Since commit 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse") the
+local table uses the same trie allocated for the main table when custom
+rules are not in use.
+
+When a net namespace is dismantled, the main table is flushed and freed
+(via an RCU callback) before the local table. In case the callback is
+invoked before the local table is iterated, a use-after-free can occur.
+
+Fix this by iterating over the FIB tables in reverse order, so that the
+main table is always freed after the local table.
+
+v3: Reworded comment according to Alex's suggestion.
+v2: Add a comment to make the fix more explicit per Dave's and Alex's
+feedback.
+
+Fixes: 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/fib_frontend.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -1261,14 +1261,19 @@ fail:
+
+ static void ip_fib_net_exit(struct net *net)
+ {
+- unsigned int i;
++ int i;
+
+ rtnl_lock();
+ #ifdef CONFIG_IP_MULTIPLE_TABLES
+ RCU_INIT_POINTER(net->ipv4.fib_main, NULL);
+ RCU_INIT_POINTER(net->ipv4.fib_default, NULL);
+ #endif
+- for (i = 0; i < FIB_TABLE_HASHSZ; i++) {
++ /* Destroy the tables in reverse order to guarantee that the
++ * local table, ID 255, is destroyed before the main table, ID
++ * 254. This is necessary as the local table may contain
++ * references to data contained in the main table.
++ */
++ for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) {
+ struct hlist_head *head = &net->ipv4.fib_table_hash[i];
+ struct hlist_node *tmp;
+ struct fib_table *tb;
diff --git a/patches.suse/ipv6-Fix-getsockopt-for-sockets-with-default-IPV6_AU.patch b/patches.suse/ipv6-Fix-getsockopt-for-sockets-with-default-IPV6_AU.patch
new file mode 100644
index 0000000000..b1530a6515
--- /dev/null
+++ b/patches.suse/ipv6-Fix-getsockopt-for-sockets-with-default-IPV6_AU.patch
@@ -0,0 +1,59 @@
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Mon, 22 Jan 2018 20:06:42 +0000
+Subject: ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL
+Git-commit: e9191ffb65d8e159680ce0ad2224e1acbde6985c
+Patch-mainline: v4.15
+References: git-fixes
+
+Commit 513674b5a2c9 ("net: reevalulate autoflowlabel setting after
+sysctl setting") removed the initialisation of
+ipv6_pinfo::autoflowlabel and added a second flag to indicate
+whether this field or the net namespace default should be used.
+
+The getsockopt() handling for this case was not updated, so it
+currently returns 0 for all sockets for which IPV6_AUTOFLOWLABEL is
+not explicitly enabled. Fix it to return the effective value, whether
+that has been set at the socket or net namespace level.
+
+Fixes: 513674b5a2c9 ("net: reevalulate autoflowlabel setting after sysctl ...")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/ipv6.h | 1 +
+ net/ipv6/ip6_output.c | 2 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -290,6 +290,7 @@ int ipv6_flowlabel_opt_get(struct sock *
+ int flags);
+ int ip6_flowlabel_init(void);
+ void ip6_flowlabel_cleanup(void);
++bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np);
+
+ static inline void fl6_sock_release(struct ip6_flowlabel *fl)
+ {
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -166,7 +166,7 @@ int ip6_output(struct net *net, struct s
+ !(IP6CB(skb)->flags & IP6SKB_REROUTED));
+ }
+
+-static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
++bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
+ {
+ if (!np->autoflowlabel_set)
+ return ip6_default_np_autolabel(net);
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -1329,7 +1329,7 @@ static int do_ipv6_getsockopt(struct soc
+ break;
+
+ case IPV6_AUTOFLOWLABEL:
+- val = np->autoflowlabel;
++ val = ip6_autoflowlabel(sock_net(sk), np);
+ break;
+
+ case IPV6_RECVFRAGSIZE:
diff --git a/patches.suse/ipv6-flowlabel-do-not-leave-opt-tot_len-with-garbage.patch b/patches.suse/ipv6-flowlabel-do-not-leave-opt-tot_len-with-garbage.patch
new file mode 100644
index 0000000000..94539eed3e
--- /dev/null
+++ b/patches.suse/ipv6-flowlabel-do-not-leave-opt-tot_len-with-garbage.patch
@@ -0,0 +1,101 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 21 Oct 2017 12:26:23 -0700
+Subject: ipv6: flowlabel: do not leave opt->tot_len with garbage
+Git-commit: 864e2a1f8aac05effac6063ce316b480facb46ff
+Patch-mainline: v4.14-rc6
+References: networking-stable-17_11_14
+
+When syzkaller team brought us a C repro for the crash [1] that
+had been reported many times in the past, I finally could find
+the root cause.
+
+If FlowLabel info is merged by fl6_merge_options(), we leave
+part of the opt_space storage provided by udp/raw/l2tp with random value
+in opt_space.tot_len, unless a control message was provided at sendmsg()
+time.
+
+Then ip6_setup_cork() would use this random value to perform a kzalloc()
+call. Undefined behavior and crashes.
+
+Fix is to properly set tot_len in fl6_merge_options()
+
+At the same time, we can also avoid consuming memory and cpu cycles
+to clear it, if every option is copied via a kmemdup(). This is the
+change in ip6_setup_cork().
+
+[1]
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 6613 Comm: syz-executor0 Not tainted 4.14.0-rc4+ #127
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+task: ffff8801cb64a100 task.stack: ffff8801cc350000
+RIP: 0010:ip6_setup_cork+0x274/0x15c0 net/ipv6/ip6_output.c:1168
+RSP: 0018:ffff8801cc357550 EFLAGS: 00010203
+RAX: dffffc0000000000 RBX: ffff8801cc357748 RCX: 0000000000000010
+RDX: 0000000000000002 RSI: ffffffff842bd1d9 RDI: 0000000000000014
+RBP: ffff8801cc357620 R08: ffff8801cb17f380 R09: ffff8801cc357b10
+R10: ffff8801cb64a100 R11: 0000000000000000 R12: ffff8801cc357ab0
+R13: ffff8801cc357b10 R14: 0000000000000000 R15: ffff8801c3bbf0c0
+FS: 00007f9c5c459700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020324000 CR3: 00000001d1cf2000 CR4: 00000000001406f0
+DR0: 0000000020001010 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
+Call Trace:
+ ip6_make_skb+0x282/0x530 net/ipv6/ip6_output.c:1729
+ udpv6_sendmsg+0x2769/0x3380 net/ipv6/udp.c:1340
+ inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ SYSC_sendto+0x358/0x5a0 net/socket.c:1750
+ SyS_sendto+0x40/0x50 net/socket.c:1718
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+RIP: 0033:0x4520a9
+RSP: 002b:00007f9c5c458c08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9
+RDX: 0000000000000001 RSI: 0000000020fd1000 RDI: 0000000000000016
+RBP: 0000000000000086 R08: 0000000020e0afe4 R09: 000000000000001c
+R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb1ee
+R13: 00000000ffffffff R14: 0000000000000016 R15: 0000000000000029
+Code: e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ea 0f 00 00 48 8d 79 04 48 b8 00 00 00 00 00 fc ff df 45 8b 74 24 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
+RIP: ip6_setup_cork+0x274/0x15c0 net/ipv6/ip6_output.c:1168 RSP: ffff8801cc357550
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_flowlabel.c | 1 +
+ net/ipv6/ip6_output.c | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -315,6 +315,7 @@ struct ipv6_txoptions *fl6_merge_options
+ }
+ opt_space->dst1opt = fopt->dst1opt;
+ opt_space->opt_flen = fopt->opt_flen;
++ opt_space->tot_len = fopt->tot_len;
+ return opt_space;
+ }
+ EXPORT_SYMBOL_GPL(fl6_merge_options);
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1162,11 +1162,11 @@ static int ip6_setup_cork(struct sock *s
+ if (WARN_ON(v6_cork->opt))
+ return -EINVAL;
+
+- v6_cork->opt = kzalloc(opt->tot_len, sk->sk_allocation);
++ v6_cork->opt = kzalloc(sizeof(*opt), sk->sk_allocation);
+ if (unlikely(!v6_cork->opt))
+ return -ENOBUFS;
+
+- v6_cork->opt->tot_len = opt->tot_len;
++ v6_cork->opt->tot_len = sizeof(*opt);
+ v6_cork->opt->opt_flen = opt->opt_flen;
+ v6_cork->opt->opt_nflen = opt->opt_nflen;
+
diff --git a/patches.suse/ipv6-mcast-better-catch-silly-mtu-values.patch b/patches.suse/ipv6-mcast-better-catch-silly-mtu-values.patch
new file mode 100644
index 0000000000..18690888da
--- /dev/null
+++ b/patches.suse/ipv6-mcast-better-catch-silly-mtu-values.patch
@@ -0,0 +1,146 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 11 Dec 2017 07:03:38 -0800
+Subject: ipv6: mcast: better catch silly mtu values
+Git-commit: b9b312a7a451e9c098921856e7cfbc201120e1a7
+Patch-mainline: v4.15-rc4
+References: networking-stable-17_12_31
+
+syzkaller reported crashes in IPv6 stack [1]
+
+Xin Long found that lo MTU was set to silly values.
+
+IPv6 stack reacts to changes to small MTU, by disabling itself under
+RTNL.
+
+But there is a window where threads not using RTNL can see a wrong
+device mtu. This can lead to surprises, in mld code where it is assumed
+the mtu is suitable.
+
+Fix this by reading device mtu once and checking IPv6 minimal MTU.
+
+[1]
+ skbuff: skb_over_panic: text:0000000010b86b8d len:196 put:20
+ head:000000003b477e60 data:000000000e85441e tail:0xd4 end:0xc0 dev:lo
+ ------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:104!
+ invalid opcode: 0000 [#1] SMP KASAN
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ Modules linked in:
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.15.0-rc2-mm1+ #39
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+ Google 01/01/2011
+ RIP: 0010:skb_panic+0x15c/0x1f0 net/core/skbuff.c:100
+ RSP: 0018:ffff8801db307508 EFLAGS: 00010286
+ RAX: 0000000000000082 RBX: ffff8801c517e840 RCX: 0000000000000000
+ RDX: 0000000000000082 RSI: 1ffff1003b660e61 RDI: ffffed003b660e95
+ RBP: ffff8801db307570 R08: 1ffff1003b660e23 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff85bd4020
+ R13: ffffffff84754ed2 R14: 0000000000000014 R15: ffff8801c4e26540
+ FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000463610 CR3: 00000001c6698000 CR4: 00000000001406e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <IRQ>
+ skb_over_panic net/core/skbuff.c:109 [inline]
+ skb_put+0x181/0x1c0 net/core/skbuff.c:1694
+ add_grhead.isra.24+0x42/0x3b0 net/ipv6/mcast.c:1695
+ add_grec+0xa55/0x1060 net/ipv6/mcast.c:1817
+ mld_send_cr net/ipv6/mcast.c:1903 [inline]
+ mld_ifc_timer_expire+0x4d2/0x770 net/ipv6/mcast.c:2448
+ call_timer_fn+0x23b/0x840 kernel/time/timer.c:1320
+ expire_timers kernel/time/timer.c:1357 [inline]
+ __run_timers+0x7e1/0xb60 kernel/time/timer.c:1660
+ run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686
+ __do_softirq+0x29d/0xbb2 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1d3/0x210 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:540 [inline]
+ smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:920
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Tested-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/mcast.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -1682,16 +1682,16 @@ static int grec_size(struct ifmcaddr6 *p
+ }
+
+ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc,
+- int type, struct mld2_grec **ppgr)
++ int type, struct mld2_grec **ppgr, unsigned int mtu)
+ {
+- struct net_device *dev = pmc->idev->dev;
+ struct mld2_report *pmr;
+ struct mld2_grec *pgr;
+
+- if (!skb)
+- skb = mld_newpack(pmc->idev, dev->mtu);
+- if (!skb)
+- return NULL;
++ if (!skb) {
++ skb = mld_newpack(pmc->idev, mtu);
++ if (!skb)
++ return NULL;
++ }
+ pgr = skb_put(skb, sizeof(struct mld2_grec));
+ pgr->grec_type = type;
+ pgr->grec_auxwords = 0;
+@@ -1714,10 +1714,15 @@ static struct sk_buff *add_grec(struct s
+ struct mld2_grec *pgr = NULL;
+ struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list;
+ int scount, stotal, first, isquery, truncate;
++ unsigned int mtu;
+
+ if (pmc->mca_flags & MAF_NOREPORT)
+ return skb;
+
++ mtu = READ_ONCE(dev->mtu);
++ if (mtu < IPV6_MIN_MTU)
++ return skb;
++
+ isquery = type == MLD2_MODE_IS_INCLUDE ||
+ type == MLD2_MODE_IS_EXCLUDE;
+ truncate = type == MLD2_MODE_IS_EXCLUDE ||
+@@ -1738,7 +1743,7 @@ static struct sk_buff *add_grec(struct s
+ AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) {
+ if (skb)
+ mld_sendpack(skb);
+- skb = mld_newpack(idev, dev->mtu);
++ skb = mld_newpack(idev, mtu);
+ }
+ }
+ first = 1;
+@@ -1774,12 +1779,12 @@ static struct sk_buff *add_grec(struct s
+ pgr->grec_nsrcs = htons(scount);
+ if (skb)
+ mld_sendpack(skb);
+- skb = mld_newpack(idev, dev->mtu);
++ skb = mld_newpack(idev, mtu);
+ first = 1;
+ scount = 0;
+ }
+ if (first) {
+- skb = add_grhead(skb, pmc, type, &pgr);
++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
+ first = 0;
+ }
+ if (!skb)
+@@ -1814,7 +1819,7 @@ empty_source:
+ mld_sendpack(skb);
+ skb = NULL; /* add_grhead will get a new one */
+ }
+- skb = add_grhead(skb, pmc, type, &pgr);
++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
+ }
+ }
+ if (pgr)
diff --git a/patches.suse/ipv6-sr-fix-TLVs-not-being-copied-using-setsockopt.patch b/patches.suse/ipv6-sr-fix-TLVs-not-being-copied-using-setsockopt.patch
new file mode 100644
index 0000000000..1effda4a8a
--- /dev/null
+++ b/patches.suse/ipv6-sr-fix-TLVs-not-being-copied-using-setsockopt.patch
@@ -0,0 +1,45 @@
+From: Mathieu Xhonneux <m.xhonneux@gmail.com>
+Date: Wed, 10 Jan 2018 13:35:49 +0000
+Subject: ipv6: sr: fix TLVs not being copied using setsockopt
+Git-commit: ccc12b11c5332c84442ef120dcd631523be75089
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+Function ipv6_push_rthdr4 allows to add an IPv6 Segment Routing Header
+to a socket through setsockopt, but the current implementation doesn't
+copy possible TLVs at the end of the SRH received from userspace.
+
+Therefore, the execution of the following branch if (sr_has_hmac(sr_phdr))
+{ ... } will never complete since the len and type fields of a possible
+HMAC TLV are not copied, hence seg6_get_tlv_hmac will return an error,
+and the HMAC will not be computed.
+
+This commit adds a memcpy in case TLVs have been appended to the SRH.
+
+Fixes: a149e7c7ce81 ("ipv6: sr: add support for SRH injection through setsockopt")
+Acked-by: David Lebrun <dlebrun@google.com>
+Signed-off-by: Mathieu Xhonneux <m.xhonneux@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/exthdrs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -883,6 +883,15 @@ static void ipv6_push_rthdr4(struct sk_b
+ sr_phdr->segments[0] = **addr_p;
+ *addr_p = &sr_ihdr->segments[hops - 1];
+
++ if (sr_ihdr->hdrlen > hops * 2) {
++ int tlvs_offset, tlvs_length;
++
++ tlvs_offset = (1 + hops * 2) << 3;
++ tlvs_length = (sr_ihdr->hdrlen - hops * 2) << 3;
++ memcpy((char *)sr_phdr + tlvs_offset,
++ (char *)sr_ihdr + tlvs_offset, tlvs_length);
++ }
++
+ #ifdef CONFIG_IPV6_SEG6_HMAC
+ if (sr_has_hmac(sr_phdr)) {
+ struct net *net = NULL;
diff --git a/patches.drivers/iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill b/patches.suse/iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch
index 7461fdca8e..e5c90ed6b1 100644
--- a/patches.drivers/iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill
+++ b/patches.suse/iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch
@@ -1,10 +1,9 @@
-From 6ad0435991482107664f65b7ae3fd588f10149d4 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Tue, 25 Apr 2017 10:21:18 +0200
-Subject: [PATCH] iwlwifi: mvm: don't warn in queue sync on RF-kill
+Subject: iwlwifi: mvm: don't warn in queue sync on RF-kill
Git-commit: 6ad0435991482107664f65b7ae3fd588f10149d4
-Patch-mainline: 4.13-rc1
-References: bsc#1051510
+Patch-mainline: v4.13-rc1
+References: bsc#1051510 FATE#322675
If we happen to be in or get into the queue sync when RF-kill
is asserted, we return from there and warn since there are
@@ -20,16 +19,15 @@ To make it fast, also trigger the waitq when on rfkill assert.
Fixes: 0636b938214c ("iwlwifi: mvm: implement driver RX queues sync command")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 8 +++++---
- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 ++--
- 2 files changed, 7 insertions(+), 5 deletions(-)
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 14 ++++++++++++--
+ 2 files changed, 17 insertions(+), 5 deletions(-)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
-@@ -4268,11 +4268,13 @@ void iwl_mvm_sync_rx_queues_internal(str
+@@ -4295,11 +4295,13 @@ void iwl_mvm_sync_rx_queues_internal(str
goto out;
}
@@ -48,7 +46,24 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
atomic_set(&mvm->queue_sync_counter, 0);
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
-@@ -1112,7 +1112,7 @@ void iwl_mvm_set_hw_ctkill_state(struct
+@@ -1094,6 +1094,16 @@ static void iwl_mvm_wake_sw_queue(struct
+ iwl_mvm_start_mac_queues(mvm, mq);
+ }
+
++static void iwl_mvm_set_rfkill_state(struct iwl_mvm *mvm)
++{
++ bool state = iwl_mvm_is_radio_killed(mvm);
++
++ if (state)
++ wake_up(&mvm->rx_sync_waitq);
++
++ wiphy_rfkill_set_hw_state(mvm->hw->wiphy, state);
++}
++
+ void iwl_mvm_set_hw_ctkill_state(struct iwl_mvm *mvm, bool state)
+ {
+ if (state)
+@@ -1101,7 +1111,7 @@ void iwl_mvm_set_hw_ctkill_state(struct
else
clear_bit(IWL_MVM_STATUS_HW_CTKILL, &mvm->status);
@@ -57,7 +72,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
}
static bool iwl_mvm_set_hw_rfkill_state(struct iwl_op_mode *op_mode, bool state)
-@@ -1125,7 +1125,7 @@ static bool iwl_mvm_set_hw_rfkill_state(
+@@ -1114,7 +1124,7 @@ static bool iwl_mvm_set_hw_rfkill_state(
else
clear_bit(IWL_MVM_STATUS_HW_RFKILL, &mvm->status);
diff --git a/patches.drivers/iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c b/patches.suse/iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch
index 78873a30a8..23217faaaa 100644
--- a/patches.drivers/iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c
+++ b/patches.suse/iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch
@@ -1,10 +1,9 @@
-From 6e46496302df7e63158fa1476cf9a30d5ee59dee Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Thu, 22 Jun 2017 13:06:21 +0200
-Subject: [PATCH] iwlwifi: mvm: remove DQA non-STA client mode special case
+Subject: iwlwifi: mvm: remove DQA non-STA client mode special case
Git-commit: 6e46496302df7e63158fa1476cf9a30d5ee59dee
-Patch-mainline: 4.13-rc1
-References: bsc#1051510
+Patch-mainline: v4.13-rc1
+References: bsc#1051510 FATE#322675
When we get a non-STA frame to transmit in client mode, we try to use
the IWL_MVM_DQA_BSS_CLIENT_QUEUE queue (queue #4). However, at this
@@ -40,15 +39,14 @@ be fixed by moving everything there to TXQs.
Fixes: e3118ad74d7e ("iwlwifi: mvm: support tdls in dqa mode")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 4 ----
- 1 file changed, 4 deletions(-)
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 8 --------
+ 1 file changed, 8 deletions(-)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
-@@ -627,10 +627,6 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+@@ -631,10 +631,6 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
* (this is not possible for unicast packets as a TLDS discovery
* response are sent without a station entry); otherwise use the
* AUX station.
@@ -59,3 +57,14 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
*/
sta_id = mvm->aux_sta.sta_id;
if (info.control.vif) {
+@@ -656,10 +652,6 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+ if (ap_sta_id != IWL_MVM_INVALID_STA)
+ sta_id = ap_sta_id;
+ } else if (iwl_mvm_is_dqa_supported(mvm) &&
+- info.control.vif->type == NL80211_IFTYPE_STATION &&
+- queue != mvm->aux_queue) {
+- queue = IWL_MVM_DQA_BSS_CLIENT_QUEUE;
+- } else if (iwl_mvm_is_dqa_supported(mvm) &&
+ info.control.vif->type == NL80211_IFTYPE_MONITOR) {
+ queue = mvm->aux_queue;
+ }
diff --git a/patches.suse/kernel-sys.c-fix-potential-Spectre-v1-issue.patch b/patches.suse/kernel-sys.c-fix-potential-Spectre-v1-issue.patch
new file mode 100644
index 0000000000..1a0bcb7f73
--- /dev/null
+++ b/patches.suse/kernel-sys.c-fix-potential-Spectre-v1-issue.patch
@@ -0,0 +1,59 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 25 May 2018 14:47:57 -0700
+Subject: kernel/sys.c: fix potential Spectre v1 issue
+Git-commit: 23d6aef74da86a33fa6bb75f79565e0a16ee97c2
+Patch-mainline: v4.17-rc7
+References: bnc#1068032 CVE-2017-5753
+
+`resource' can be controlled by user-space, hence leading to a potential
+exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+ kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)
+ kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)
+
+Fix this by sanitizing *resource* before using it to index
+current->signal->rlim
+
+Notice that given that speculation windows are large, the policy is to
+kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/sys.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -68,6 +68,9 @@
+ #include <asm/io.h>
+ #include <asm/unistd.h>
+
++/* Hardening for Spectre-v1 */
++#include <linux/nospec.h>
++
+ #ifndef SET_UNALIGN_CTL
+ # define SET_UNALIGN_CTL(a, b) (-EINVAL)
+ #endif
+@@ -1318,6 +1321,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned
+ if (resource >= RLIM_NLIMITS)
+ return -EINVAL;
+
++ resource = array_index_nospec(resource, RLIM_NLIMITS);
+ task_lock(current->group_leader);
+ x = current->signal->rlim[resource];
+ task_unlock(current->group_leader);
diff --git a/patches.suse/mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch b/patches.suse/mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch
new file mode 100644
index 0000000000..0f7ffe86a9
--- /dev/null
+++ b/patches.suse/mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch
@@ -0,0 +1,65 @@
+From: Yuval Mintz <yuvalm@mellanox.com>
+Date: Fri, 15 Dec 2017 08:44:21 +0100
+Subject: mlxsw: spectrum: Disable MAC learning for ovs port
+Git-commit: fccff0862838908d21eaf956d57e09c6c189f7c5
+Patch-mainline: v4.15-rc4
+References: networking-stable-17_12_31
+
+Learning is currently enabled for ports which are OVS slaves -
+even though OVS doesn't need this indication.
+Since we're not associating a fid with the port, HW would continuously
+notify driver of learned [& aged] MACs which would be logged as errors.
+
+Fixes: 2b94e58df58c ("mlxsw: spectrum: Allow ports to work under OVS master")
+Signed-off-by: Yuval Mintz <yuvalm@mellanox.com>
+Reviewed-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -4093,6 +4093,7 @@ static int mlxsw_sp_port_stp_set(struct
+
+ static int mlxsw_sp_port_ovs_join(struct mlxsw_sp_port *mlxsw_sp_port)
+ {
++ u16 vid = 1;
+ int err;
+
+ err = mlxsw_sp_port_stp_set(mlxsw_sp_port, true);
+@@ -4102,8 +4103,19 @@ static int mlxsw_sp_port_ovs_join(struct
+ true, false);
+ if (err)
+ goto err_port_vlan_set;
++
++ for (; vid <= VLAN_N_VID - 1; vid++) {
++ err = mlxsw_sp_port_vid_learning_set(mlxsw_sp_port,
++ vid, false);
++ if (err)
++ goto err_vid_learning_set;
++ }
++
+ return 0;
+
++err_vid_learning_set:
++ for (vid--; vid >= 1; vid--)
++ mlxsw_sp_port_vid_learning_set(mlxsw_sp_port, vid, true);
+ err_port_vlan_set:
+ mlxsw_sp_port_stp_set(mlxsw_sp_port, false);
+ return err;
+@@ -4111,6 +4123,12 @@ err_port_vlan_set:
+
+ static void mlxsw_sp_port_ovs_leave(struct mlxsw_sp_port *mlxsw_sp_port)
+ {
++ u16 vid;
++
++ for (vid = VLAN_N_VID - 1; vid >= 1; vid--)
++ mlxsw_sp_port_vid_learning_set(mlxsw_sp_port,
++ vid, true);
++
+ mlxsw_sp_port_vlan_set(mlxsw_sp_port, 2, VLAN_N_VID - 1,
+ false, false);
+ mlxsw_sp_port_stp_set(mlxsw_sp_port, false);
diff --git a/patches.suse/mlxsw-spectrum-Forbid-linking-to-devices-fix.patch b/patches.suse/mlxsw-spectrum-Forbid-linking-to-devices-fix.patch
new file mode 100644
index 0000000000..9076858050
--- /dev/null
+++ b/patches.suse/mlxsw-spectrum-Forbid-linking-to-devices-fix.patch
@@ -0,0 +1,39 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: mlxsw: spectrum: Forbid linking to devices that have uppers FIX
+References: stable-fixes
+Patch-mainline: never, incorrect stable backport
+
+This is a fix for a stable patch:
+ patches.kernel.org/4.12.14-034-mlxsw-spectrum-Forbid-linking-to-devices-that.patch
+which is in upstream as 25cc72a33835ed8a6f53180a822cadab855852ac.
+
+The stable backport incorrectly patched mlxsw_sp_netdevice_bridge_event
+instead of mlxsw_sp_netdevice_vport_event, so fix it up here.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -4276,10 +4276,6 @@ static int mlxsw_sp_netdevice_bridge_eve
+ if (is_vlan_dev(upper_dev) &&
+ br_dev != mlxsw_sp->master_bridge.dev)
+ return -EINVAL;
+- if (!info->linking)
+- break;
+- if (netdev_has_any_upper_dev(upper_dev))
+- return -EINVAL;
+ break;
+ case NETDEV_CHANGEUPPER:
+ upper_dev = info->upper_dev;
+@@ -4527,6 +4523,8 @@ static int mlxsw_sp_netdevice_vport_even
+ return -EINVAL;
+ if (!info->linking)
+ break;
++ if (netdev_has_any_upper_dev(upper_dev))
++ return -EINVAL;
+ /* We can't have multiple VLAN interfaces configured on
+ * the same port and being members in the same bridge.
+ */
diff --git a/patches.suse/mlxsw-spectrum-Prevent-mirred-related-crash-on-remov.patch b/patches.suse/mlxsw-spectrum-Prevent-mirred-related-crash-on-remov.patch
new file mode 100644
index 0000000000..7577500cc4
--- /dev/null
+++ b/patches.suse/mlxsw-spectrum-Prevent-mirred-related-crash-on-remov.patch
@@ -0,0 +1,95 @@
+From: Yuval Mintz <yuvalm@mellanox.com>
+Date: Tue, 12 Sep 2017 08:50:53 +0200
+Subject: mlxsw: spectrum: Prevent mirred-related crash on removal
+Git-commit: 6399ebcccffa12e65bc15eda039d37673264ebce
+Patch-mainline: v4.14-rc1
+References: networking-stable-17_10_09
+
+When removing the offloading of mirred actions under
+matchall classifiers, mlxsw would find the destination port
+associated with the offloaded action and utilize it for undoing
+the configuration.
+
+Depending on the order by which ports are removed, it's possible that
+the destination port would get removed before the source port.
+In such a scenario, when actions would be flushed for the source port
+mlxsw would perform an illegal dereference as the destination port is
+no longer listed.
+
+Since the only item necessary for undoing the configuration on the
+destination side is the port-id and that in turn is already maintained
+by mlxsw on the source-port, simply stop trying to access the
+destination port and use the port-id directly instead.
+
+Fixes: 763b4b70af ("mlxsw: spectrum: Add support in matchall mirror TC offloading")
+Signed-off-by: Yuval Mintz <yuvalm@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -304,15 +304,14 @@ static void mlxsw_sp_span_entry_destroy(
+ }
+
+ static struct mlxsw_sp_span_entry *
+-mlxsw_sp_span_entry_find(struct mlxsw_sp_port *port)
++mlxsw_sp_span_entry_find(struct mlxsw_sp *mlxsw_sp, u8 local_port)
+ {
+- struct mlxsw_sp *mlxsw_sp = port->mlxsw_sp;
+ int i;
+
+ for (i = 0; i < mlxsw_sp->span.entries_count; i++) {
+ struct mlxsw_sp_span_entry *curr = &mlxsw_sp->span.entries[i];
+
+- if (curr->used && curr->local_port == port->local_port)
++ if (curr->used && curr->local_port == local_port)
+ return curr;
+ }
+ return NULL;
+@@ -323,7 +322,8 @@ static struct mlxsw_sp_span_entry
+ {
+ struct mlxsw_sp_span_entry *span_entry;
+
+- span_entry = mlxsw_sp_span_entry_find(port);
++ span_entry = mlxsw_sp_span_entry_find(port->mlxsw_sp,
++ port->local_port);
+ if (span_entry) {
+ /* Already exists, just take a reference */
+ span_entry->ref_count++;
+@@ -512,12 +512,13 @@ err_port_bind:
+ }
+
+ static void mlxsw_sp_span_mirror_remove(struct mlxsw_sp_port *from,
+- struct mlxsw_sp_port *to,
++ u8 destination_port,
+ enum mlxsw_sp_span_type type)
+ {
+ struct mlxsw_sp_span_entry *span_entry;
+
+- span_entry = mlxsw_sp_span_entry_find(to);
++ span_entry = mlxsw_sp_span_entry_find(from->mlxsw_sp,
++ destination_port);
+ if (!span_entry) {
+ netdev_err(from->dev, "no span entry found\n");
+ return;
+@@ -1333,14 +1334,12 @@ static void
+ mlxsw_sp_port_del_cls_matchall_mirror(struct mlxsw_sp_port *mlxsw_sp_port,
+ struct mlxsw_sp_port_mall_mirror_tc_entry *mirror)
+ {
+- struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
+ enum mlxsw_sp_span_type span_type;
+- struct mlxsw_sp_port *to_port;
+
+- to_port = mlxsw_sp->ports[mirror->to_local_port];
+ span_type = mirror->ingress ?
+ MLXSW_SP_SPAN_INGRESS : MLXSW_SP_SPAN_EGRESS;
+- mlxsw_sp_span_mirror_remove(mlxsw_sp_port, to_port, span_type);
++ mlxsw_sp_span_mirror_remove(mlxsw_sp_port, mirror->to_local_port,
++ span_type);
+ }
+
+ static int
diff --git a/patches.suse/mlxsw-spectrum-Relax-sanity-checks-during-enslavemen.patch b/patches.suse/mlxsw-spectrum-Relax-sanity-checks-during-enslavemen.patch
new file mode 100644
index 0000000000..6ab6e4f5e3
--- /dev/null
+++ b/patches.suse/mlxsw-spectrum-Relax-sanity-checks-during-enslavemen.patch
@@ -0,0 +1,63 @@
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 25 Dec 2017 09:05:33 +0100
+Subject: mlxsw: spectrum: Relax sanity checks during enslavement
+Git-commit: 90045fc9c78855bdc625a0ab185d97b72a937613
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+Since commit 25cc72a33835 ("mlxsw: spectrum: Forbid linking to devices that
+have uppers") the driver forbids enslavement to netdevs that already
+have uppers of their own, as this can result in various ordering
+problems.
+
+This requirement proved to be too strict for some users who need to be
+able to enslave ports to a bridge that already has uppers. In this case,
+we can allow the enslavement if the bridge is already known to us, as
+any configuration performed on top of the bridge was already reflected
+to the device.
+
+[js] backport to 4.12 -- no mlxsw_sp_bridge_device_is_offloaded yet
+
+Fixes: 25cc72a33835 ("mlxsw: spectrum: Forbid linking to devices that have uppers")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
+Tested-by: Alexander Petrovskiy <alexpe@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -4157,7 +4157,9 @@ static int mlxsw_sp_netdevice_port_upper
+ return -EINVAL;
+ if (!info->linking)
+ break;
+- if (netdev_has_any_upper_dev(upper_dev))
++ if (netdev_has_any_upper_dev(upper_dev) &&
++ (!netif_is_bridge_master(upper_dev) ||
++ mlxsw_sp->master_bridge.dev != upper_dev))
+ return -EINVAL;
+ /* HW limitation forbids to put ports to multiple bridges. */
+ if (netif_is_bridge_master(upper_dev) &&
+@@ -4554,6 +4556,7 @@ static int mlxsw_sp_netdevice_vport_even
+ u16 vid)
+ {
+ struct mlxsw_sp_port *mlxsw_sp_port = netdev_priv(dev);
++ struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
+ struct netdev_notifier_changeupper_info *info = ptr;
+ struct mlxsw_sp_port *mlxsw_sp_vport;
+ struct net_device *upper_dev;
+@@ -4570,7 +4573,9 @@ static int mlxsw_sp_netdevice_vport_even
+ return -EINVAL;
+ if (!info->linking)
+ break;
+- if (netdev_has_any_upper_dev(upper_dev))
++ if (netdev_has_any_upper_dev(upper_dev) &&
++ (!netif_is_bridge_master(upper_dev) ||
++ mlxsw_sp->master_bridge.dev != upper_dev))
+ return -EINVAL;
+ /* We can't have multiple VLAN interfaces configured on
+ * the same port and being members in the same bridge.
diff --git a/patches.suse/mlxsw-spectrum_router-Fix-NULL-pointer-deref.patch b/patches.suse/mlxsw-spectrum_router-Fix-NULL-pointer-deref.patch
new file mode 100644
index 0000000000..4343598e69
--- /dev/null
+++ b/patches.suse/mlxsw-spectrum_router-Fix-NULL-pointer-deref.patch
@@ -0,0 +1,35 @@
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 25 Dec 2017 08:57:35 +0100
+Subject: mlxsw: spectrum_router: Fix NULL pointer deref
+Git-commit: 8764a8267b128405cf383157d5e9a4a3735d2409
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+When we remove the neighbour associated with a nexthop we should always
+refuse to write the nexthop to the adjacency table. Regardless if it is
+already present in the table or not.
+
+Otherwise, we risk dereferencing the NULL pointer that was set instead
+of the neighbour.
+
+Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -1526,7 +1526,7 @@ static void __mlxsw_sp_nexthop_neigh_upd
+ {
+ if (!removing)
+ nh->should_offload = 1;
+- else if (nh->offloaded)
++ else
+ nh->should_offload = 0;
+ nh->update = 1;
+ }
diff --git a/patches.suse/mlxsw-spectrum_router-Simplify-a-piece-of-code.patch b/patches.suse/mlxsw-spectrum_router-Simplify-a-piece-of-code.patch
new file mode 100644
index 0000000000..a645c9b01d
--- /dev/null
+++ b/patches.suse/mlxsw-spectrum_router-Simplify-a-piece-of-code.patch
@@ -0,0 +1,32 @@
+From: Petr Machata <petrm@mellanox.com>
+Date: Mon, 31 Jul 2017 09:27:30 +0200
+Subject: mlxsw: spectrum_router: Simplify a piece of code
+Git-commit: 213666a3563f71b4a168b1fdc8c64115218e7758
+Patch-mainline: v4.14-rc1
+References: networking-stable-18_01_12
+
+Express the same logic more succinctly.
+
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Reviewed-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -1524,9 +1524,9 @@ set_trap:
+ static void __mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp_nexthop *nh,
+ bool removing)
+ {
+- if (!removing && !nh->should_offload)
++ if (!removing)
+ nh->should_offload = 1;
+- else if (removing && nh->offloaded)
++ else if (nh->offloaded)
+ nh->should_offload = 0;
+ nh->update = 1;
+ }
diff --git a/patches.suse/mremap-Remove-LATENCY_LIMIT-from-mremap-to-reduce-the-number-of-TLB-shootdowns.patch b/patches.suse/mremap-Remove-LATENCY_LIMIT-from-mremap-to-reduce-the-number-of-TLB-shootdowns.patch
index 2789c15d4c..7fbb5c7a10 100644
--- a/patches.suse/mremap-Remove-LATENCY_LIMIT-from-mremap-to-reduce-the-number-of-TLB-shootdowns.patch
+++ b/patches.suse/mremap-Remove-LATENCY_LIMIT-from-mremap-to-reduce-the-number-of-TLB-shootdowns.patch
@@ -4,7 +4,8 @@ Date: Fri, 1 Jun 2018 10:13:00 +0100
Subject: [PATCH] mremap: Remove LATENCY_LIMIT from mremap to reduce the number
of TLB shootdowns
-Patch-mainline: No, queued in subsystem maintainer repository
+Patch-mainline: v4.18
+Git-commit: 37a4094e828f3c7673aa9c60f8b2b9d1019db81b
References: bnc#1095115
Commit 5d1904204c99 ("mremap: fix race between mremap() and page cleanning")
diff --git a/patches.suse/n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch b/patches.suse/n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch
new file mode 100644
index 0000000000..93c7eadee7
--- /dev/null
+++ b/patches.suse/n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch
@@ -0,0 +1,62 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 20 Dec 2017 17:57:06 -0800
+Subject: n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD)
+Git-commit: 966031f340185eddd05affcf72b740549f056348
+Patch-mainline: v4.15-rc6
+References: bnc#1094825
+
+We added support for EXTPROC back in 2010 in commit 26df6d13406d ("tty:
+Add EXTPROC support for LINEMODE") and the intent was to allow it to
+override some (all?) ICANON behavior. Quoting from that original commit
+message:
+
+ There is a new bit in the termios local flag word, EXTPROC.
+ When this bit is set, several aspects of the terminal driver
+ are disabled. Input line editing, character echo, and mapping
+ of signals are all disabled. This allows the telnetd to turn
+ off these functions when in linemode, but still keep track of
+ what state the user wants the terminal to be in.
+
+but the problem turns out that "several aspects of the terminal driver
+are disabled" is a bit ambiguous, and you can really confuse the n_tty
+layer by setting EXTPROC and then causing some of the ICANON invariants
+to no longer be maintained.
+
+This fixes at least one such case (TIOCINQ) becoming unhappy because of
+the confusion over whether ICANON really means ICANON when EXTPROC is set.
+
+This basically makes TIOCINQ match the case of read: if EXTPROC is set,
+we ignore ICANON. Also, make sure to reset the ICANON state ie EXTPROC
+changes, not just if ICANON changes.
+
+Fixes: 26df6d13406d ("tty: Add EXTPROC support for LINEMODE")
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Cc: Jiri Slaby <jslaby@suse.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/tty/n_tty.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -1764,7 +1764,7 @@ static void n_tty_set_termios(struct tty
+ {
+ struct n_tty_data *ldata = tty->disc_data;
+
+- if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) {
++ if (!old || (old->c_lflag ^ tty->termios.c_lflag) & (ICANON | EXTPROC)) {
+ bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
+ ldata->line_start = ldata->read_tail;
+ if (!L_ICANON(tty) || !read_cnt(ldata)) {
+@@ -2427,7 +2427,7 @@ static int n_tty_ioctl(struct tty_struct
+ return put_user(tty_chars_in_buffer(tty), (int __user *) arg);
+ case TIOCINQ:
+ down_write(&tty->termios_rwsem);
+- if (L_ICANON(tty))
++ if (L_ICANON(tty) && !L_EXTPROC(tty))
+ retval = inq_canon(ldata);
+ else
+ retval = read_cnt(ldata);
diff --git a/patches.suse/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch b/patches.suse/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch
new file mode 100644
index 0000000000..1287fd6baf
--- /dev/null
+++ b/patches.suse/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch
@@ -0,0 +1,104 @@
+From: Christoph Paasch <cpaasch@apple.com>
+Date: Tue, 26 Sep 2017 17:38:50 -0700
+Subject: net: Set sk_prot_creator when cloning sockets to the right proto
+Git-commit: 9d538fa60bad4f7b23193c89e843797a1cf71ef3
+Patch-mainline: v4.14-rc4
+References: networking-stable-17_10_09
+
+sk->sk_prot and sk->sk_prot_creator can differ when the app uses
+IPV6_ADDRFORM (transforming an IPv6-socket to an IPv4-one).
+Which is why sk_prot_creator is there to make sure that sk_prot_free()
+does the kmem_cache_free() on the right kmem_cache slab.
+
+Now, if such a socket gets transformed back to a listening socket (using
+connect() with AF_UNSPEC) we will allocate an IPv4 tcp_sock through
+sk_clone_lock() when a new connection comes in. But sk_prot_creator will
+still point to the IPv6 kmem_cache (as everything got copied in
+sk_clone_lock()). When freeing, we will thus put this
+memory back into the IPv6 kmem_cache although it was allocated in the
+IPv4 cache. I have seen memory corruption happening because of this.
+
+With slub-debugging and MEMCG_KMEM enabled this gives the warning
+ "cache_from_obj: Wrong slab cache. TCPv6 but object is from TCP"
+
+A C-program to trigger this:
+
+void main(void)
+{
+ int fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
+ int new_fd, newest_fd, client_fd;
+ struct sockaddr_in6 bind_addr;
+ struct sockaddr_in bind_addr4, client_addr1, client_addr2;
+ struct sockaddr unsp;
+ int val;
+
+ memset(&bind_addr, 0, sizeof(bind_addr));
+ bind_addr.sin6_family = AF_INET6;
+ bind_addr.sin6_port = ntohs(42424);
+
+ memset(&client_addr1, 0, sizeof(client_addr1));
+ client_addr1.sin_family = AF_INET;
+ client_addr1.sin_port = ntohs(42424);
+ client_addr1.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+ memset(&client_addr2, 0, sizeof(client_addr2));
+ client_addr2.sin_family = AF_INET;
+ client_addr2.sin_port = ntohs(42421);
+ client_addr2.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+ memset(&unsp, 0, sizeof(unsp));
+ unsp.sa_family = AF_UNSPEC;
+
+ bind(fd, (struct sockaddr *)&bind_addr, sizeof(bind_addr));
+
+ listen(fd, 5);
+
+ client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+ connect(client_fd, (struct sockaddr *)&client_addr1, sizeof(client_addr1));
+ new_fd = accept(fd, NULL, NULL);
+ close(fd);
+
+ val = AF_INET;
+ setsockopt(new_fd, SOL_IPV6, IPV6_ADDRFORM, &val, sizeof(val));
+
+ connect(new_fd, &unsp, sizeof(unsp));
+
+ memset(&bind_addr4, 0, sizeof(bind_addr4));
+ bind_addr4.sin_family = AF_INET;
+ bind_addr4.sin_port = ntohs(42421);
+ bind(new_fd, (struct sockaddr *)&bind_addr4, sizeof(bind_addr4));
+
+ listen(new_fd, 5);
+
+ client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+ connect(client_fd, (struct sockaddr *)&client_addr2, sizeof(client_addr2));
+
+ newest_fd = accept(new_fd, NULL, NULL);
+ close(new_fd);
+
+ close(client_fd);
+ close(new_fd);
+}
+
+As far as I can see, this bug has been there since the beginning of the
+git-days.
+
+Signed-off-by: Christoph Paasch <cpaasch@apple.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1613,6 +1613,8 @@ struct sock *sk_clone_lock(const struct
+
+ sock_copy(newsk, sk);
+
++ newsk->sk_prot_creator = sk->sk_prot;
++
+ /* SANITY */
+ if (likely(newsk->sk_net_refcnt))
+ get_net(sock_net(newsk));
diff --git a/patches.suse/net-bonding-Fix-transmit-load-balancing-in-balance-a.patch b/patches.suse/net-bonding-Fix-transmit-load-balancing-in-balance-a.patch
new file mode 100644
index 0000000000..f90c2f34dc
--- /dev/null
+++ b/patches.suse/net-bonding-Fix-transmit-load-balancing-in-balance-a.patch
@@ -0,0 +1,64 @@
+From: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
+Date: Wed, 6 Sep 2017 22:47:59 +0000
+Subject: net: bonding: Fix transmit load balancing in balance-alb mode if
+ specified by sysfs
+Git-commit: c6644d07eff6588b2dedf881279fb0d1c7783970
+Patch-mainline: v4.14-rc1
+References: networking-stable-17_10_09
+
+Commit cbf5ecb30560 ("net: bonding: Fix transmit load balancing in
+balance-alb mode") tried to fix transmit dynamic load balancing in
+balance-alb mode, which wasn't working after commit 8b426dc54cf4
+("bonding: remove hardcoded value").
+
+It turned out that my previous patch only fixed the case when
+balance-alb was specified as bonding module parameter, and not when
+balance-alb mode was set using /sys/class/net/*/bonding/mode (the most
+common usage). In the latter case, tlb_dynamic_lb was set up according
+to the default mode of the bonding interface, which happens to be
+balance-rr.
+
+This additional patch addresses this issue by setting up tlb_dynamic_lb
+to 1 if "mode" is set to balance-alb through the sysfs interface.
+
+I didn't add code to change tlb_balance_lb back to the default value for
+other modes, because "mode" is usually set up only once during
+initialization, and it's not worthwhile to change the static variable
+bonding_defaults in bond_main.c to a global variable just for this
+purpose.
+
+Commit 8b426dc54cf4 also changes the value of tlb_dynamic_lb for
+balance-tlb mode if it is set up using the sysfs interface. I didn't
+change that behavior, because the value of tlb_balance_lb can be changed
+using the sysfs interface for balance-tlb, and I didn't like changing
+the default value back and forth for balance-tlb.
+
+As for balance-alb, /sys/class/net/*/bonding/tlb_balance_lb cannot be
+written to. However, I think balance-alb with tlb_dynamic_lb set to 0
+is not an intended usage, so there is little use making it writable at
+this moment.
+
+Fixes: 8b426dc54cf4 ("bonding: remove hardcoded value")
+Reported-by: Reinis Rozitis <r@roze.lv>
+Signed-off-by: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
+Cc: stable@vger.kernel.org # v4.12+
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/bonding/bond_options.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -731,6 +731,9 @@ static int bond_option_mode_set(struct b
+ bond->params.miimon);
+ }
+
++ if (newval->value == BOND_MODE_ALB)
++ bond->params.tlb_dynamic_lb = 1;
++
+ /* don't cache arp_validate between modes */
+ bond->params.arp_validate = BOND_ARP_VALIDATE_NONE;
+ bond->params.mode = newval->value;
diff --git a/patches.suse/net-bonding-fix-tlb_dynamic_lb-default-value.patch b/patches.suse/net-bonding-fix-tlb_dynamic_lb-default-value.patch
new file mode 100644
index 0000000000..35ddfd55a8
--- /dev/null
+++ b/patches.suse/net-bonding-fix-tlb_dynamic_lb-default-value.patch
@@ -0,0 +1,62 @@
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 12 Sep 2017 15:10:05 +0300
+Subject: net: bonding: fix tlb_dynamic_lb default value
+Git-commit: f13ad104b4e886a03e75f130daf579ef9bf33dfc
+Patch-mainline: v4.14-rc1
+References: networking-stable-17_10_09
+
+Commit 8b426dc54cf4 ("bonding: remove hardcoded value") changed the
+default value for tlb_dynamic_lb which lead to either broken ALB mode
+(since tlb_dynamic_lb can be changed only in TLB) or setting TLB mode
+with tlb_dynamic_lb equal to 0.
+The first issue was recently fixed by setting tlb_dynamic_lb to 1 always
+when switching to ALB mode, but the default value is still wrong and
+we'll enter TLB mode with tlb_dynamic_lb equal to 0 if the mode is
+changed via netlink or sysfs. In order to restore the previous behaviour
+and default value simply remove the mode check around the default param
+initialization for tlb_dynamic_lb which will always set it to 1 as
+before.
+
+Fixes: 8b426dc54cf4 ("bonding: remove hardcoded value")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/bonding/bond_main.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4291,7 +4291,7 @@ static int bond_check_params(struct bond
+ int bond_mode = BOND_MODE_ROUNDROBIN;
+ int xmit_hashtype = BOND_XMIT_POLICY_LAYER2;
+ int lacp_fast = 0;
+- int tlb_dynamic_lb = 0;
++ int tlb_dynamic_lb;
+
+ /* Convert string parameters. */
+ if (mode) {
+@@ -4603,16 +4603,13 @@ static int bond_check_params(struct bond
+ }
+ ad_user_port_key = valptr->value;
+
+- if ((bond_mode == BOND_MODE_TLB) || (bond_mode == BOND_MODE_ALB)) {
+- bond_opt_initstr(&newval, "default");
+- valptr = bond_opt_parse(bond_opt_get(BOND_OPT_TLB_DYNAMIC_LB),
+- &newval);
+- if (!valptr) {
+- pr_err("Error: No tlb_dynamic_lb default value");
+- return -EINVAL;
+- }
+- tlb_dynamic_lb = valptr->value;
++ bond_opt_initstr(&newval, "default");
++ valptr = bond_opt_parse(bond_opt_get(BOND_OPT_TLB_DYNAMIC_LB), &newval);
++ if (!valptr) {
++ pr_err("Error: No tlb_dynamic_lb default value");
++ return -EINVAL;
+ }
++ tlb_dynamic_lb = valptr->value;
+
+ if (lp_interval == 0) {
+ pr_warn("Warning: ip_interval must be between 1 and %d, so it was reset to %d\n",
diff --git a/patches.suse/net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch b/patches.suse/net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch
new file mode 100644
index 0000000000..10cdb44a5d
--- /dev/null
+++ b/patches.suse/net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch
@@ -0,0 +1,92 @@
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Mon, 18 Dec 2017 17:35:09 +0200
+Subject: net: bridge: fix early call to br_stp_change_bridge_id and plug
+ newlink leaks
+Git-commit: 84aeb437ab98a2bce3d4b2111c79723aedfceb33
+Patch-mainline: v4.15-rc5
+References: networking-stable-17_12_31
+
+The early call to br_stp_change_bridge_id in bridge's newlink can cause
+a memory leak if an error occurs during the newlink because the fdb
+entries are not cleaned up if a different lladdr was specified, also
+another minor issue is that it generates fdb notifications with
+ifindex = 0. Another unrelated memory leak is the bridge sysfs entries
+which get added on NETDEV_REGISTER event, but are not cleaned up in the
+newlink error path. To remove this special case the call to
+br_stp_change_bridge_id is done after netdev register and we cleanup the
+bridge on changelink error via br_dev_delete to plug all leaks.
+
+This patch makes netlink bridge destruction on newlink error the same as
+dellink and ioctl del which is necessary since at that point we have a
+fully initialized bridge device.
+
+To reproduce the issue:
+$ ip l add br0 address 00:11:22:33:44:55 type bridge group_fwd_mask 1
+RTNETLINK answers: Invalid argument
+
+$ rmmod bridge
+[ 1822.142525] =============================================================================
+[ 1822.143640] BUG bridge_fdb_cache (Tainted: G O ): Objects remaining in bridge_fdb_cache on __kmem_cache_shutdown()
+[ 1822.144821] -----------------------------------------------------------------------------
+
+[ 1822.145990] Disabling lock debugging due to kernel taint
+[ 1822.146732] INFO: Slab 0x0000000092a844b2 objects=32 used=2 fp=0x00000000fef011b0 flags=0x1ffff8000000100
+[ 1822.147700] CPU: 2 PID: 13584 Comm: rmmod Tainted: G B O 4.15.0-rc2+ #87
+[ 1822.148578] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+[ 1822.150008] Call Trace:
+[ 1822.150510] dump_stack+0x78/0xa9
+[ 1822.151156] slab_err+0xb1/0xd3
+[ 1822.151834] ? __kmalloc+0x1bb/0x1ce
+[ 1822.152546] __kmem_cache_shutdown+0x151/0x28b
+[ 1822.153395] shutdown_cache+0x13/0x144
+[ 1822.154126] kmem_cache_destroy+0x1c0/0x1fb
+[ 1822.154669] SyS_delete_module+0x194/0x244
+[ 1822.155199] ? trace_hardirqs_on_thunk+0x1a/0x1c
+[ 1822.155773] entry_SYSCALL_64_fastpath+0x23/0x9a
+[ 1822.156343] RIP: 0033:0x7f929bd38b17
+[ 1822.156859] RSP: 002b:00007ffd160e9a98 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0
+[ 1822.157728] RAX: ffffffffffffffda RBX: 00005578316ba090 RCX: 00007f929bd38b17
+[ 1822.158422] RDX: 00007f929bd9ec60 RSI: 0000000000000800 RDI: 00005578316ba0f0
+[ 1822.159114] RBP: 0000000000000003 R08: 00007f929bff5f20 R09: 00007ffd160e8a11
+[ 1822.159808] R10: 00007ffd160e9860 R11: 0000000000000202 R12: 00007ffd160e8a80
+[ 1822.160513] R13: 0000000000000000 R14: 0000000000000000 R15: 00005578316ba090
+[ 1822.161278] INFO: Object 0x000000007645de29 @offset=0
+[ 1822.161666] INFO: Object 0x00000000d5df2ab5 @offset=128
+
+Fixes: 30313a3d5794 ("bridge: Handle IFLA_ADDRESS correctly when creating bridge device")
+Fixes: 5b8d5429daa0 ("bridge: netlink: register netdevice before executing changelink")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/bridge/br_netlink.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -1175,19 +1175,20 @@ static int br_dev_newlink(struct net *sr
+ struct net_bridge *br = netdev_priv(dev);
+ int err;
+
++ err = register_netdevice(dev);
++ if (err)
++ return err;
++
+ if (tb[IFLA_ADDRESS]) {
+ spin_lock_bh(&br->lock);
+ br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS]));
+ spin_unlock_bh(&br->lock);
+ }
+
+- err = register_netdevice(dev);
+- if (err)
+- return err;
+-
+ err = br_changelink(dev, tb, data, extack);
+ if (err)
+- unregister_netdevice(dev);
++ br_dev_delete(dev, NULL);
++
+ return err;
+ }
+
diff --git a/patches.suse/net-bridge-fix-returning-of-vlan-range-op-errors.patch b/patches.suse/net-bridge-fix-returning-of-vlan-range-op-errors.patch
new file mode 100644
index 0000000000..c0f4e69812
--- /dev/null
+++ b/patches.suse/net-bridge-fix-returning-of-vlan-range-op-errors.patch
@@ -0,0 +1,31 @@
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 19 Oct 2017 20:17:32 +0300
+Subject: net: bridge: fix returning of vlan range op errors
+Git-commit: 66c54517540cedf5a22911c6b7f5c7d8b5d1e1be
+Patch-mainline: v4.14-rc6
+References: networking-stable-17_11_14
+
+When vlan tunnels were introduced, vlan range errors got silently
+dropped and instead 0 was returned always. Restore the previous
+behaviour and return errors to user-space.
+
+Fixes: efa5356b0d97 ("bridge: per vlan dst_metadata netlink support")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/bridge/br_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -573,7 +573,7 @@ static int br_process_vlan_info(struct n
+ }
+ *vinfo_last = NULL;
+
+- return 0;
++ return err;
+ }
+
+ return br_vlan_info(br, p, cmd, vinfo_curr);
diff --git a/patches.suse/net-core-fix-module-type-in-sock_diag_bind.patch b/patches.suse/net-core-fix-module-type-in-sock_diag_bind.patch
new file mode 100644
index 0000000000..9d453c35b4
--- /dev/null
+++ b/patches.suse/net-core-fix-module-type-in-sock_diag_bind.patch
@@ -0,0 +1,27 @@
+From: Andrii Vladyka <tulup@mail.ru>
+Date: Thu, 4 Jan 2018 13:09:17 +0200
+Subject: net: core: fix module type in sock_diag_bind
+Git-commit: b8fd0823e0770c2d5fdbd865bccf0d5e058e5287
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+Use AF_INET6 instead of AF_INET in IPv6-related code path
+
+Signed-off-by: Andrii Vladyka <tulup@mail.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/sock_diag.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -288,7 +288,7 @@ static int sock_diag_bind(struct net *ne
+ case SKNLGRP_INET6_UDP_DESTROY:
+ if (!sock_diag_handlers[AF_INET6])
+ request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+- NETLINK_SOCK_DIAG, AF_INET);
++ NETLINK_SOCK_DIAG, AF_INET6);
+ break;
+ }
+ return 0;
diff --git a/patches.suse/net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch b/patches.suse/net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch
new file mode 100644
index 0000000000..ceba91237f
--- /dev/null
+++ b/patches.suse/net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch
@@ -0,0 +1,30 @@
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 21 Nov 2017 17:37:46 -0800
+Subject: net: dsa: bcm_sf2: Clear IDDQ_GLOBAL_PWR bit for PHY
+Git-commit: 4b52d010113e11006a389f2a8315167ede9e0b10
+Patch-mainline: v4.15-rc1
+References: networking-stable-17_12_31
+
+The PHY on BCM7278 has an additional bit that needs to be cleared:
+IDDQ_GLOBAL_PWR, without doing this, the PHY remains stuck in reset out
+of suspend/resume cycles.
+
+Fixes: 0fe9933804eb ("net: dsa: bcm_sf2: Add support for BCM7278 integrated switch")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/dsa/bcm_sf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -159,7 +159,7 @@ static void bcm_sf2_gphy_enable_set(stru
+ reg = reg_readl(priv, REG_SPHY_CNTRL);
+ if (enable) {
+ reg |= PHY_RESET;
+- reg &= ~(EXT_PWR_DOWN | IDDQ_BIAS | CK25_DIS);
++ reg &= ~(EXT_PWR_DOWN | IDDQ_BIAS | IDDQ_GLOBAL_PWR | CK25_DIS);
+ reg_writel(priv, reg, REG_SPHY_CNTRL);
+ udelay(21);
+ reg = reg_readl(priv, REG_SPHY_CNTRL);
diff --git a/patches.suse/net-dsa-check-master-device-before-put.patch b/patches.suse/net-dsa-check-master-device-before-put.patch
new file mode 100644
index 0000000000..cab4d8e728
--- /dev/null
+++ b/patches.suse/net-dsa-check-master-device-before-put.patch
@@ -0,0 +1,40 @@
+From: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
+Date: Tue, 24 Oct 2017 16:37:19 -0400
+Subject: net: dsa: check master device before put
+Git-commit: 3eb8feeb1708c7dbfd2e97df92a2a407c116606e
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+In the case of pdata, the dsa_cpu_parse function calls dev_put() before
+making sure it isn't NULL. Fix this.
+
+Fixes: 71e0bbde0d88 ("net: dsa: Add support for platform data")
+Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/dsa/dsa2.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/dsa/dsa2.c
++++ b/net/dsa/dsa2.c
+@@ -506,14 +506,15 @@ static int dsa_cpu_parse(struct dsa_port
+ if (!ethernet)
+ return -EINVAL;
+ ethernet_dev = of_find_net_device_by_node(ethernet);
++ if (!ethernet_dev)
++ return -EPROBE_DEFER;
+ } else {
+ ethernet_dev = dsa_dev_to_net_device(ds->cd->netdev[index]);
++ if (!ethernet_dev)
++ return -EPROBE_DEFER;
+ dev_put(ethernet_dev);
+ }
+
+- if (!ethernet_dev)
+- return -EPROBE_DEFER;
+-
+ if (!ds->master_netdev)
+ ds->master_netdev = ethernet_dev;
+
diff --git a/patches.suse/net-dsa-mv88e6xxx-lock-mutex-when-freeing-IRQs.patch b/patches.suse/net-dsa-mv88e6xxx-lock-mutex-when-freeing-IRQs.patch
new file mode 100644
index 0000000000..e2945b85f7
--- /dev/null
+++ b/patches.suse/net-dsa-mv88e6xxx-lock-mutex-when-freeing-IRQs.patch
@@ -0,0 +1,32 @@
+From: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
+Date: Tue, 26 Sep 2017 14:57:21 -0400
+Subject: net: dsa: mv88e6xxx: lock mutex when freeing IRQs
+Git-commit: b32ca44a88def4bf92626d8777494c6f14638c42
+Patch-mainline: v4.14-rc4
+References: networking-stable-17_10_09
+
+mv88e6xxx_g2_irq_free locks the registers mutex, but not
+mv88e6xxx_g1_irq_free, which results in a stack trace from
+assert_reg_lock when unloading the mv88e6xxx module. Fix this.
+
+Fixes: 3460a5770ce9 ("net: dsa: mv88e6xxx: Mask g1 interrupts and free interrupt")
+Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -4222,7 +4222,9 @@ static void mv88e6xxx_remove(struct mdio
+ if (chip->irq > 0) {
+ if (mv88e6xxx_has(chip, MV88E6XXX_FLAG_G2_INT))
+ mv88e6xxx_g2_irq_free(chip);
++ mutex_lock(&chip->reg_lock);
+ mv88e6xxx_g1_irq_free(chip);
++ mutex_unlock(&chip->reg_lock);
+ }
+ }
+
diff --git a/patches.suse/net-emac-Fix-napi-poll-list-corruption.patch b/patches.suse/net-emac-Fix-napi-poll-list-corruption.patch
new file mode 100644
index 0000000000..9999a89e95
--- /dev/null
+++ b/patches.suse/net-emac-Fix-napi-poll-list-corruption.patch
@@ -0,0 +1,51 @@
+From: Christian Lamparter <chunkeey@googlemail.com>
+Date: Tue, 19 Sep 2017 19:35:18 +0200
+Subject: net: emac: Fix napi poll list corruption
+Git-commit: f55956065ec94e3e9371463d693a1029c4cc3007
+Patch-mainline: v4.14-rc2
+References: networking-stable-17_10_09
+
+This patch is pretty much a carbon copy of
+commit 3079c652141f ("caif: Fix napi poll list corruption")
+with "caif" replaced by "emac".
+
+The commit d75b1ade567f ("net: less interrupt masking in NAPI")
+breaks emac.
+
+It is now required that if the entire budget is consumed when poll
+returns, the napi poll_list must remain empty. However, like some
+other drivers emac tries to do a last-ditch check and if there is
+more work it will call napi_reschedule and then immediately process
+some of this new work. Should the entire budget be consumed while
+processing such new work then we will violate the new caller
+contract.
+
+This patch fixes this by not touching any work when we reschedule
+in emac.
+
+Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/ibm/emac/mal.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/emac/mal.c
++++ b/drivers/net/ethernet/ibm/emac/mal.c
+@@ -402,7 +402,7 @@ static int mal_poll(struct napi_struct *
+ unsigned long flags;
+
+ MAL_DBG2(mal, "poll(%d)" NL, budget);
+- again:
++
+ /* Process TX skbs */
+ list_for_each(l, &mal->poll_list) {
+ struct mal_commac *mc =
+@@ -451,7 +451,6 @@ static int mal_poll(struct napi_struct *
+ spin_lock_irqsave(&mal->lock, flags);
+ mal_disable_eob_irq(mal);
+ spin_unlock_irqrestore(&mal->lock, flags);
+- goto again;
+ }
+ mc->ops->poll_tx(mc->dev);
+ }
diff --git a/patches.suse/net-fec-defer-probe-if-regulator-is-not-ready.patch b/patches.suse/net-fec-defer-probe-if-regulator-is-not-ready.patch
new file mode 100644
index 0000000000..54eb773dd8
--- /dev/null
+++ b/patches.suse/net-fec-defer-probe-if-regulator-is-not-ready.patch
@@ -0,0 +1,31 @@
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Wed, 3 Jan 2018 10:39:30 +0800
+Subject: net: fec: defer probe if regulator is not ready
+Git-commit: 3f38c683033a9a0a2738e7067f449deefabfa3ef
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+Defer probe if regulator is not ready. E.g. some regulator is fixed
+regulator controlled by i2c expander gpio, the i2c device may be probed
+after the driver, then it should handle the case of defer probe error.
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3432,6 +3432,10 @@ fec_probe(struct platform_device *pdev)
+ goto failed_regulator;
+ }
+ } else {
++ if (PTR_ERR(fep->reg_phy) == -EPROBE_DEFER) {
++ ret = -EPROBE_DEFER;
++ goto failed_regulator;
++ }
+ fep->reg_phy = NULL;
+ }
+
diff --git a/patches.suse/net-fec-free-restore-resource-in-related-probe-error.patch b/patches.suse/net-fec-free-restore-resource-in-related-probe-error.patch
new file mode 100644
index 0000000000..f2e9156c82
--- /dev/null
+++ b/patches.suse/net-fec-free-restore-resource-in-related-probe-error.patch
@@ -0,0 +1,36 @@
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Thu, 4 Jan 2018 10:47:20 +0800
+Subject: net: fec: free/restore resource in related probe error pathes
+Git-commit: d1616f07e8f1a4a490d1791316d4a68906b284aa
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+Fixes in probe error path:
+- Restore dev_id before failed_ioremap path.
+ Fixes: ("net: fec: restore dev_id in the cases of probe error")
+- Call of_node_put(phy_node) before failed_phy path.
+ Fixes: ("net: fec: Support phys probed from devicetree and fixed-link")
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3517,11 +3517,11 @@ failed_clk_ipg:
+ failed_clk:
+ if (of_phy_is_fixed_link(np))
+ of_phy_deregister_fixed_link(np);
+-failed_phy:
+ of_node_put(phy_node);
++failed_phy:
++ dev_id--;
+ failed_ioremap:
+ free_netdev(ndev);
+- dev_id--;
+
+ return ret;
+ }
diff --git a/patches.suse/net-fec-restore-dev_id-in-the-cases-of-probe-error.patch b/patches.suse/net-fec-restore-dev_id-in-the-cases-of-probe-error.patch
new file mode 100644
index 0000000000..5150af4ec8
--- /dev/null
+++ b/patches.suse/net-fec-restore-dev_id-in-the-cases-of-probe-error.patch
@@ -0,0 +1,27 @@
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Wed, 3 Jan 2018 10:39:29 +0800
+Subject: net: fec: restore dev_id in the cases of probe error
+Git-commit: e90f686b4358d7d7e5dbaa48b8e78c9a4e41826e
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+The static variable dev_id always plus one before netdev registerred.
+It should restore the dev_id value in the cases of probe error.
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3517,6 +3517,7 @@ failed_phy:
+ of_node_put(phy_node);
+ failed_ioremap:
+ free_netdev(ndev);
++ dev_id--;
+
+ return ret;
+ }
diff --git a/patches.suse/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch b/patches.suse/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch
new file mode 100644
index 0000000000..36be4dbb9c
--- /dev/null
+++ b/patches.suse/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch
@@ -0,0 +1,42 @@
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Fri, 22 Dec 2017 17:12:09 +0800
+Subject: net: fec: unmap the xmit buffer that are not transferred by DMA
+Git-commit: 178e5f57a8d8f8fc5799a624b96fc31ef9a29ffa
+Patch-mainline: v4.15-rc6
+References: networking-stable-17_12_31
+
+The enet IP only support 32 bit, it will use swiotlb buffer to do dma
+mapping when xmit buffer DMA memory address is bigger than 4G in i.MX
+platform. After stress suspend/resume test, it will print out:
+
+log:
+[12826.352864] fec 5b040000.ethernet: swiotlb buffer is full (sz: 191 bytes)
+[12826.359676] DMA: Out of SW-IOMMU space for 191 bytes at device 5b040000.ethernet
+[12826.367110] fec 5b040000.ethernet eth0: Tx DMA memory map failed
+
+The issue is that the ready xmit buffers that are dma mapped but DMA still
+don't copy them into fifo, once MAC restart, these DMA buffers are not unmapped.
+So it should check the dma mapping buffer and unmap them.
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -816,6 +816,12 @@ static void fec_enet_bd_init(struct net_
+ for (i = 0; i < txq->bd.ring_size; i++) {
+ /* Initialize the BD for every fragment in the page. */
+ bdp->cbd_sc = cpu_to_fec16(0);
++ if (bdp->cbd_bufaddr &&
++ !IS_TSO_HEADER(txq, fec32_to_cpu(bdp->cbd_bufaddr)))
++ dma_unmap_single(&fep->pdev->dev,
++ fec32_to_cpu(bdp->cbd_bufaddr),
++ fec16_to_cpu(bdp->cbd_datlen),
++ DMA_TO_DEVICE);
+ if (txq->tx_skbuff[i]) {
+ dev_kfree_skb_any(txq->tx_skbuff[i]);
+ txq->tx_skbuff[i] = NULL;
diff --git a/patches.suse/net-igmp-Use-correct-source-address-on-IGMPv3-report.patch b/patches.suse/net-igmp-Use-correct-source-address-on-IGMPv3-report.patch
new file mode 100644
index 0000000000..c2f66bdab7
--- /dev/null
+++ b/patches.suse/net-igmp-Use-correct-source-address-on-IGMPv3-report.patch
@@ -0,0 +1,85 @@
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Mon, 11 Dec 2017 11:13:45 -0800
+Subject: net: igmp: Use correct source address on IGMPv3 reports
+Git-commit: a46182b00290839fa3fa159d54fd3237bd8669f0
+Patch-mainline: v4.15-rc4
+References: networking-stable-17_12_31
+
+Closing a multicast socket after the final IPv4 address is deleted
+from an interface can generate a membership report that uses the
+source IP from a different interface. The following test script, run
+from an isolated netns, reproduces the issue:
+
+ #!/bin/bash
+
+ ip link add dummy0 type dummy
+ ip link add dummy1 type dummy
+ ip link set dummy0 up
+ ip link set dummy1 up
+ ip addr add 10.1.1.1/24 dev dummy0
+ ip addr add 192.168.99.99/24 dev dummy1
+
+ tcpdump -U -i dummy0 &
+ socat EXEC:"sleep 2" \
+ UDP4-DATAGRAM:239.101.1.68:8889,ip-add-membership=239.0.1.68:10.1.1.1 &
+
+ sleep 1
+ ip addr del 10.1.1.1/24 dev dummy0
+ sleep 5
+ kill %tcpdump
+
+RFC 3376 specifies that the report must be sent with a valid IP source
+address from the destination subnet, or from address 0.0.0.0. Add an
+extra check to make sure this is the case.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/igmp.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -89,6 +89,7 @@
+ #include <linux/rtnetlink.h>
+ #include <linux/times.h>
+ #include <linux/pkt_sched.h>
++#include <linux/byteorder/generic.h>
+
+ #include <net/net_namespace.h>
+ #include <net/arp.h>
+@@ -321,6 +322,23 @@ igmp_scount(struct ip_mc_list *pmc, int
+ return scount;
+ }
+
++/* source address selection per RFC 3376 section 4.2.13 */
++static __be32 igmpv3_get_srcaddr(struct net_device *dev,
++ const struct flowi4 *fl4)
++{
++ struct in_device *in_dev = __in_dev_get_rcu(dev);
++
++ if (!in_dev)
++ return htonl(INADDR_ANY);
++
++ for_ifa(in_dev) {
++ if (inet_ifa_match(fl4->saddr, ifa))
++ return fl4->saddr;
++ } endfor_ifa(in_dev);
++
++ return htonl(INADDR_ANY);
++}
++
+ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
+ {
+ struct sk_buff *skb;
+@@ -368,7 +386,7 @@ static struct sk_buff *igmpv3_newpack(st
+ pip->frag_off = htons(IP_DF);
+ pip->ttl = 1;
+ pip->daddr = fl4.daddr;
+- pip->saddr = fl4.saddr;
++ pip->saddr = igmpv3_get_srcaddr(dev, &fl4);
+ pip->protocol = IPPROTO_IGMP;
+ pip->tot_len = 0; /* filled in later */
+ ip_select_ident(net, skb, NULL);
diff --git a/patches.suse/net-igmp-add-a-missing-rcu-locking-section.patch b/patches.suse/net-igmp-add-a-missing-rcu-locking-section.patch
new file mode 100644
index 0000000000..6d7efa9e52
--- /dev/null
+++ b/patches.suse/net-igmp-add-a-missing-rcu-locking-section.patch
@@ -0,0 +1,79 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 1 Feb 2018 10:26:57 -0800
+Subject: net: igmp: add a missing rcu locking section
+Git-commit: e7aadb27a5415e8125834b84a74477bfbee4eff5
+Patch-mainline: v4.16-rc1
+References: git-fixes
+
+Newly added igmpv3_get_srcaddr() needs to be called under rcu lock.
+
+Timer callbacks do not ensure this locking.
+
+=============================
+WARNING: suspicious RCU usage
+4.15.0+ #200 Not tainted
+-----------------------------
+./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+3 locks held by syzkaller616973/4074:
+ #0: (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355
+ #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
+ #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316
+ #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline]
+ #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600
+
+stack backtrace:
+CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
+ __in_dev_get_rcu include/linux/inetdevice.h:216 [inline]
+ igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline]
+ igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389
+ add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432
+ add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565
+ igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605
+ igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722
+ igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831
+ call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
+ expire_timers kernel/time/timer.c:1363 [inline]
+ __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
+ run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
+ __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1cc/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:541 [inline]
+ smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
+
+Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/igmp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -386,7 +386,11 @@ static struct sk_buff *igmpv3_newpack(st
+ pip->frag_off = htons(IP_DF);
+ pip->ttl = 1;
+ pip->daddr = fl4.daddr;
++
++ rcu_read_lock();
+ pip->saddr = igmpv3_get_srcaddr(dev, &fl4);
++ rcu_read_unlock();
++
+ pip->protocol = IPPROTO_IGMP;
+ pip->tot_len = 0; /* filled in later */
+ ip_select_ident(net, skb, NULL);
diff --git a/patches.suse/net-igmp-fix-source-address-check-for-IGMPv3-reports.patch b/patches.suse/net-igmp-fix-source-address-check-for-IGMPv3-reports.patch
new file mode 100644
index 0000000000..24367fb2f0
--- /dev/null
+++ b/patches.suse/net-igmp-fix-source-address-check-for-IGMPv3-reports.patch
@@ -0,0 +1,38 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 19 Jan 2018 11:50:46 +0100
+Subject: net: igmp: fix source address check for IGMPv3 reports
+Git-commit: ad23b750933ea7bf962678972a286c78a8fa36aa
+Patch-mainline: v4.15
+References: git-fixes
+
+Commit "net: igmp: Use correct source address on IGMPv3 reports"
+introduced a check to validate the source address of locally generated
+IGMPv3 packets.
+Instead of checking the local interface address directly, it uses
+inet_ifa_match(fl4->saddr, ifa), which checks if the address is on the
+local subnet (or equal to the point-to-point address if used).
+
+This breaks for point-to-point interfaces, so check against
+ifa->ifa_local directly.
+
+Cc: Kevin Cernekee <cernekee@chromium.org>
+Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports")
+Reported-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/igmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -332,7 +332,7 @@ static __be32 igmpv3_get_srcaddr(struct
+ return htonl(INADDR_ANY);
+
+ for_ifa(in_dev) {
+- if (inet_ifa_match(fl4->saddr, ifa))
++ if (fl4->saddr == ifa->ifa_local)
+ return fl4->saddr;
+ } endfor_ifa(in_dev);
+
diff --git a/patches.suse/net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch b/patches.suse/net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch
new file mode 100644
index 0000000000..9a2400a845
--- /dev/null
+++ b/patches.suse/net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch
@@ -0,0 +1,33 @@
+From: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+Date: Wed, 6 Dec 2017 15:23:23 +0100
+Subject: net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case
+Git-commit: 589bf32f09852041fbd3b7ce1a9e703f95c230ba
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_31
+
+add appropriate calls to clk_disable_unprepare() by jumping to out_mdio
+in case orion_mdio_probe() returns -EPROBE_DEFER.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: 3d604da1e954 ("net: mvmdio: get and enable optional clock")
+Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/marvell/mvmdio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/mvmdio.c
++++ b/drivers/net/ethernet/marvell/mvmdio.c
+@@ -241,7 +241,8 @@ static int orion_mdio_probe(struct platf
+ dev->regs + MVMDIO_ERR_INT_MASK);
+
+ } else if (dev->err_interrupt == -EPROBE_DEFER) {
+- return -EPROBE_DEFER;
++ ret = -EPROBE_DEFER;
++ goto out_mdio;
+ }
+
+ mutex_init(&dev->lock);
diff --git a/patches.suse/net-phy-Fix-mask-value-write-on-gmii2rgmii-converter.patch b/patches.suse/net-phy-Fix-mask-value-write-on-gmii2rgmii-converter.patch
new file mode 100644
index 0000000000..1809e92344
--- /dev/null
+++ b/patches.suse/net-phy-Fix-mask-value-write-on-gmii2rgmii-converter.patch
@@ -0,0 +1,36 @@
+From: Fahad Kunnathadi <fahad.kunnathadi@dexceldesigns.com>
+Date: Fri, 15 Sep 2017 12:01:58 +0530
+Subject: net: phy: Fix mask value write on gmii2rgmii converter speed register
+Git-commit: f2654a4781318dc7ab8d6cde66f1fa39eab980a9
+Patch-mainline: v4.14-rc2
+References: networking-stable-17_10_09
+
+To clear Speed Selection in MDIO control register(0x10),
+ie, clear bits 6 and 13 to zero while keeping other bits same.
+Before AND operation,The Mask value has to be perform with bitwise NOT
+operation (ie, ~ operator)
+
+This patch clears current speed selection before writing the
+new speed settings to gmii2rgmii converter
+
+Fixes: f411a6160bd4 ("net: phy: Add gmiitorgmii converter support")
+
+Signed-off-by: Fahad Kunnathadi <fahad.kunnathadi@dexceldesigns.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/phy/xilinx_gmii2rgmii.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/xilinx_gmii2rgmii.c
++++ b/drivers/net/phy/xilinx_gmii2rgmii.c
+@@ -44,7 +44,7 @@ static int xgmiitorgmii_read_status(stru
+ priv->phy_drv->read_status(phydev);
+
+ val = mdiobus_read(phydev->mdio.bus, priv->addr, XILINX_GMII2RGMII_REG);
+- val &= XILINX_GMII2RGMII_SPEED_MASK;
++ val &= ~XILINX_GMII2RGMII_SPEED_MASK;
+
+ if (phydev->speed == SPEED_1000)
+ val |= BMCR_SPEED1000;
diff --git a/patches.suse/net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch b/patches.suse/net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch
new file mode 100644
index 0000000000..50646461cf
--- /dev/null
+++ b/patches.suse/net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch
@@ -0,0 +1,28 @@
+From: Zhao Qiang <qiang.zhao@nxp.com>
+Date: Mon, 18 Dec 2017 10:26:43 +0800
+Subject: net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well.
+Git-commit: c505873eaece2b4aefd07d339dc7e1400e0235ac
+Patch-mainline: v4.15-rc5
+References: networking-stable-17_12_31
+
+88E1145 also need this autoneg errata.
+
+Fixes: f2899788353c ("net: phy: marvell: Limit errata to 88m1101")
+Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/phy/marvell.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -2010,7 +2010,7 @@ static struct phy_driver marvell_drivers
+ .flags = PHY_HAS_INTERRUPT,
+ .probe = marvell_probe,
+ .config_init = &m88e1145_config_init,
+- .config_aneg = &marvell_config_aneg,
++ .config_aneg = &m88e1101_config_aneg,
+ .read_status = &genphy_read_status,
+ .ack_interrupt = &marvell_ack_interrupt,
+ .config_intr = &marvell_config_intr,
diff --git a/patches.suse/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch b/patches.suse/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch
new file mode 100644
index 0000000000..dd98128f8c
--- /dev/null
+++ b/patches.suse/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch
@@ -0,0 +1,36 @@
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+Date: Wed, 20 Dec 2017 18:45:10 -0600
+Subject: net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg
+ workaround
+Git-commit: c1a8d0a3accf64a014d605e6806ce05d1c17adf1
+Patch-mainline: v4.15-rc6
+References: networking-stable-17_12_31
+
+Under some circumstances driver will perform PHY reset in
+ksz9031_read_status() to fix autoneg failure case (idle error count =
+0xFF). When this happens ksz9031 will not detect link status change any
+more when connecting to Netgear 1G switch (link can be recovered sometimes by
+restarting netdevice "ifconfig down up"). Reproduced with TI am572x board
+equipped with ksz9031 PHY while connecting to Netgear 1G switch.
+
+Fix the issue by reconfiguring autonegotiation after PHY reset in
+ksz9031_read_status().
+
+Fixes: d2fd719bcb0e ("net/phy: micrel: Add workaround for bad autoneg")
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/phy/micrel.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -621,6 +621,7 @@ static int ksz9031_read_status(struct ph
+ phydev->link = 0;
+ if (phydev->drv->config_intr && phy_interrupt_is_valid(phydev))
+ phydev->drv->config_intr(phydev);
++ return genphy_config_aneg(phydev);
+ }
+
+ return 0;
diff --git a/patches.suse/net-qcom-emac-specify-the-correct-size-when-mapping-.patch b/patches.suse/net-qcom-emac-specify-the-correct-size-when-mapping-.patch
new file mode 100644
index 0000000000..cb61dccab6
--- /dev/null
+++ b/patches.suse/net-qcom-emac-specify-the-correct-size-when-mapping-.patch
@@ -0,0 +1,33 @@
+From: Timur Tabi <timur@codeaurora.org>
+Date: Fri, 22 Sep 2017 15:32:44 -0500
+Subject: net: qcom/emac: specify the correct size when mapping a DMA buffer
+Git-commit: a93ad944f4ff9a797abff17c73fc4b1e4a1d9141
+Patch-mainline: v4.14-rc4
+References: networking-stable-17_10_09
+
+When mapping the RX DMA buffers, the driver was accidentally specifying
+zero for the buffer length. Under normal circumstances, SWIOTLB does not
+need to allocate a bounce buffer, so the address is just mapped without
+checking the size field. This is why the error was not detected earlier.
+
+Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/qualcomm/emac/emac-mac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
+@@ -876,7 +876,8 @@ static void emac_mac_rx_descs_refill(str
+
+ curr_rxbuf->dma_addr =
+ dma_map_single(adpt->netdev->dev.parent, skb->data,
+- curr_rxbuf->length, DMA_FROM_DEVICE);
++ adpt->rxbuf_size, DMA_FROM_DEVICE);
++
+ ret = dma_mapping_error(adpt->netdev->dev.parent,
+ curr_rxbuf->dma_addr);
+ if (ret) {
diff --git a/patches.suse/net-realtek-r8169-implement-set_link_ksettings.patch b/patches.suse/net-realtek-r8169-implement-set_link_ksettings.patch
new file mode 100644
index 0000000000..e45bf79d8c
--- /dev/null
+++ b/patches.suse/net-realtek-r8169-implement-set_link_ksettings.patch
@@ -0,0 +1,98 @@
+From: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
+Date: Tue, 21 Nov 2017 16:15:57 +0100
+Subject: net: realtek: r8169: implement set_link_ksettings()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: 9e77d7a5549dc4d4999a60676373ab3fd1dae4db
+Patch-mainline: v4.15-rc1
+References: networking-stable-17_12_12
+
+Commit 6fa1ba61520576cf1346c4ff09a056f2950cb3bf partially
+implemented the new ethtool API, by replacing get_settings()
+with get_link_ksettings(). This breaks ethtool, since the
+userspace tool (according to the new API specs) never tries
+the legacy set() call, when the new get() call succeeds.
+
+All attempts to chance some setting from userspace result in:
+> Cannot set new settings: Operation not supported
+
+Implement the missing set() call.
+
+Signed-off-by: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
+Tested-by: Holger Hoffstätte <holger@applied-asynchrony.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/realtek/r8169.c | 38 ++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -2025,21 +2025,6 @@ out:
+ return ret;
+ }
+
+-static int rtl8169_set_settings(struct net_device *dev, struct ethtool_cmd *cmd)
+-{
+- struct rtl8169_private *tp = netdev_priv(dev);
+- int ret;
+-
+- del_timer_sync(&tp->timer);
+-
+- rtl_lock_work(tp);
+- ret = rtl8169_set_speed(dev, cmd->autoneg, ethtool_cmd_speed(cmd),
+- cmd->duplex, cmd->advertising);
+- rtl_unlock_work(tp);
+-
+- return ret;
+-}
+-
+ static netdev_features_t rtl8169_fix_features(struct net_device *dev,
+ netdev_features_t features)
+ {
+@@ -2166,6 +2151,27 @@ static int rtl8169_get_link_ksettings(st
+ return rc;
+ }
+
++static int rtl8169_set_link_ksettings(struct net_device *dev,
++ const struct ethtool_link_ksettings *cmd)
++{
++ struct rtl8169_private *tp = netdev_priv(dev);
++ int rc;
++ u32 advertising;
++
++ if (!ethtool_convert_link_mode_to_legacy_u32(&advertising,
++ cmd->link_modes.advertising))
++ return -EINVAL;
++
++ del_timer_sync(&tp->timer);
++
++ rtl_lock_work(tp);
++ rc = rtl8169_set_speed(dev, cmd->base.autoneg, cmd->base.speed,
++ cmd->base.duplex, advertising);
++ rtl_unlock_work(tp);
++
++ return rc;
++}
++
+ static void rtl8169_get_regs(struct net_device *dev, struct ethtool_regs *regs,
+ void *p)
+ {
+@@ -2367,7 +2373,6 @@ static const struct ethtool_ops rtl8169_
+ .get_drvinfo = rtl8169_get_drvinfo,
+ .get_regs_len = rtl8169_get_regs_len,
+ .get_link = ethtool_op_get_link,
+- .set_settings = rtl8169_set_settings,
+ .get_msglevel = rtl8169_get_msglevel,
+ .set_msglevel = rtl8169_set_msglevel,
+ .get_regs = rtl8169_get_regs,
+@@ -2379,6 +2384,7 @@ static const struct ethtool_ops rtl8169_
+ .get_ts_info = ethtool_op_get_ts_info,
+ .nway_reset = rtl8169_nway_reset,
+ .get_link_ksettings = rtl8169_get_link_ksettings,
++ .set_link_ksettings = rtl8169_set_link_ksettings,
+ };
+
+ static void rtl8169_get_mac_version(struct rtl8169_private *tp,
diff --git a/patches.suse/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch b/patches.suse/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch
new file mode 100644
index 0000000000..e47a7fd37b
--- /dev/null
+++ b/patches.suse/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch
@@ -0,0 +1,115 @@
+From: Shaohua Li <shli@fb.com>
+Date: Wed, 20 Dec 2017 12:10:21 -0800
+Subject: net: reevalulate autoflowlabel setting after sysctl setting
+Git-commit: 513674b5a2c9c7a67501506419da5c3c77ac6f08
+Patch-mainline: v4.15-rc5
+References: networking-stable-17_12_31
+
+sysctl.ip6.auto_flowlabels is default 1. In our hosts, we set it to 2.
+If sockopt doesn't set autoflowlabel, outcome packets from the hosts are
+supposed to not include flowlabel. This is true for normal packet, but
+not for reset packet.
+
+The reason is ipv6_pinfo.autoflowlabel is set in sock creation. Later if
+we change sysctl.ip6.auto_flowlabels, the ipv6_pinfo.autoflowlabel isn't
+changed, so the sock will keep the old behavior in terms of auto
+flowlabel. Reset packet is suffering from this problem, because reset
+packet is sent from a special control socket, which is created at boot
+time. Since sysctl.ipv6.auto_flowlabels is 1 by default, the control
+socket will always have its ipv6_pinfo.autoflowlabel set, even after
+user set sysctl.ipv6.auto_flowlabels to 1, so reset packset will always
+have flowlabel. Normal sock created before sysctl setting suffers from
+the same issue. We can't even turn off autoflowlabel unless we kill all
+socks in the hosts.
+
+To fix this, if IPV6_AUTOFLOWLABEL sockopt is used, we use the
+autoflowlabel setting from user, otherwise we always call
+ip6_default_np_autolabel() which has the new settings of sysctl.
+
+Note, this changes behavior a little bit. Before commit 42240901f7c4
+(ipv6: Implement different admin modes for automatic flow labels), the
+autoflowlabel behavior of a sock isn't sticky, eg, if sysctl changes,
+existing connection will change autoflowlabel behavior. After that
+commit, autoflowlabel behavior is sticky in the whole life of the sock.
+With this patch, the behavior isn't sticky again.
+
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Tom Herbert <tom@quantonium.net>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/ipv6.h | 3 ++-
+ net/ipv6/af_inet6.c | 1 -
+ net/ipv6/ip6_output.c | 12 ++++++++++--
+ net/ipv6/ipv6_sockglue.c | 1 +
+ 4 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/include/linux/ipv6.h
++++ b/include/linux/ipv6.h
+@@ -255,7 +255,8 @@ struct ipv6_pinfo {
+ * 100: prefer care-of address
+ */
+ dontfrag:1,
+- autoflowlabel:1;
++ autoflowlabel:1,
++ autoflowlabel_set:1;
+ __u8 min_hopcount;
+ __u8 tclass;
+ __be32 rcv_flowinfo;
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -210,7 +210,6 @@ lookup_protocol:
+ np->mcast_hops = IPV6_DEFAULT_MCASTHOPS;
+ np->mc_loop = 1;
+ np->pmtudisc = IPV6_PMTUDISC_WANT;
+- np->autoflowlabel = ip6_default_np_autolabel(sock_net(sk));
+ sk->sk_ipv6only = net->ipv6.sysctl.bindv6only;
+
+ /* Init the ipv4 part of the socket since we can have sockets
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -166,6 +166,14 @@ int ip6_output(struct net *net, struct s
+ !(IP6CB(skb)->flags & IP6SKB_REROUTED));
+ }
+
++static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
++{
++ if (!np->autoflowlabel_set)
++ return ip6_default_np_autolabel(net);
++ else
++ return np->autoflowlabel;
++}
++
+ /*
+ * xmit an sk_buff (used by TCP, SCTP and DCCP)
+ * Note : socket lock is not held for SYNACK packets, but might be modified
+@@ -230,7 +238,7 @@ int ip6_xmit(const struct sock *sk, stru
+ hlimit = ip6_dst_hoplimit(dst);
+
+ ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel,
+- np->autoflowlabel, fl6));
++ ip6_autoflowlabel(net, np), fl6));
+
+ hdr->payload_len = htons(seg_len);
+ hdr->nexthdr = proto;
+@@ -1627,7 +1635,7 @@ struct sk_buff *__ip6_make_skb(struct so
+
+ ip6_flow_hdr(hdr, v6_cork->tclass,
+ ip6_make_flowlabel(net, skb, fl6->flowlabel,
+- np->autoflowlabel, fl6));
++ ip6_autoflowlabel(net, np), fl6));
+ hdr->hop_limit = v6_cork->hop_limit;
+ hdr->nexthdr = proto;
+ hdr->saddr = fl6->saddr;
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -883,6 +883,7 @@ pref_skip_coa:
+ break;
+ case IPV6_AUTOFLOWLABEL:
+ np->autoflowlabel = valbool;
++ np->autoflowlabel_set = 1;
+ retv = 0;
+ break;
+ case IPV6_RECVFRAGSIZE:
diff --git a/patches.suse/net-remove-hlist_nulls_add_tail_rcu.patch b/patches.suse/net-remove-hlist_nulls_add_tail_rcu.patch
new file mode 100644
index 0000000000..d635134671
--- /dev/null
+++ b/patches.suse/net-remove-hlist_nulls_add_tail_rcu.patch
@@ -0,0 +1,149 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 5 Dec 2017 12:45:56 -0800
+Subject: net: remove hlist_nulls_add_tail_rcu()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: d7efc6c11b277d9d80b99b1334a78bfe7d7edf10
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_12
+
+Alexander Potapenko reported use of uninitialized memory [1]
+
+This happens when inserting a request socket into TCP ehash,
+in __sk_nulls_add_node_rcu(), since sk_reuseport is not initialized.
+
+Bug was added by commit d894ba18d4e4 ("soreuseport: fix ordering for
+mixed v4/v6 sockets")
+
+Note that d296ba60d8e2 ("soreuseport: Resolve merge conflict for v4/v6
+ordering fix") missed the opportunity to get rid of
+hlist_nulls_add_tail_rcu() :
+
+Both UDP sockets and TCP/DCCP listeners no longer use
+__sk_nulls_add_node_rcu() for their hash insertion.
+
+Since all other sockets have unique 4-tuple, the reuseport status
+has no special meaning, so we can always use hlist_nulls_add_head_rcu()
+for them and save few cycles/instructions.
+
+[1]
+
+==================================================================
+BUG: KMSAN: use of uninitialized memory in inet_ehash_insert+0xd40/0x1050
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.0+ #3288
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:52
+ kmsan_report+0x13f/0x1c0 mm/kmsan/kmsan.c:1016
+ __msan_warning_32+0x69/0xb0 mm/kmsan/kmsan_instr.c:766
+ __sk_nulls_add_node_rcu ./include/net/sock.h:684
+ inet_ehash_insert+0xd40/0x1050 net/ipv4/inet_hashtables.c:413
+ reqsk_queue_hash_req net/ipv4/inet_connection_sock.c:754
+ inet_csk_reqsk_queue_hash_add+0x1cc/0x300 net/ipv4/inet_connection_sock.c:765
+ tcp_conn_request+0x31e7/0x36f0 net/ipv4/tcp_input.c:6414
+ tcp_v4_conn_request+0x16d/0x220 net/ipv4/tcp_ipv4.c:1314
+ tcp_rcv_state_process+0x42a/0x7210 net/ipv4/tcp_input.c:5917
+ tcp_v4_do_rcv+0xa6a/0xcd0 net/ipv4/tcp_ipv4.c:1483
+ tcp_v4_rcv+0x3de0/0x4ab0 net/ipv4/tcp_ipv4.c:1763
+ ip_local_deliver_finish+0x6bb/0xcb0 net/ipv4/ip_input.c:216
+ NF_HOOK ./include/linux/netfilter.h:248
+ ip_local_deliver+0x3fa/0x480 net/ipv4/ip_input.c:257
+ dst_input ./include/net/dst.h:477
+ ip_rcv_finish+0x6fb/0x1540 net/ipv4/ip_input.c:397
+ NF_HOOK ./include/linux/netfilter.h:248
+ ip_rcv+0x10f6/0x15c0 net/ipv4/ip_input.c:488
+ __netif_receive_skb_core+0x36f6/0x3f60 net/core/dev.c:4298
+ __netif_receive_skb net/core/dev.c:4336
+ netif_receive_skb_internal+0x63c/0x19c0 net/core/dev.c:4497
+ napi_skb_finish net/core/dev.c:4858
+ napi_gro_receive+0x629/0xa50 net/core/dev.c:4889
+ e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4018
+ e1000_clean_rx_irq+0x1492/0x1d30
+drivers/net/ethernet/intel/e1000/e1000_main.c:4474
+ e1000_clean+0x43aa/0x5970 drivers/net/ethernet/intel/e1000/e1000_main.c:3819
+ napi_poll net/core/dev.c:5500
+ net_rx_action+0x73c/0x1820 net/core/dev.c:5566
+ __do_softirq+0x4b4/0x8dd kernel/softirq.c:284
+ invoke_softirq kernel/softirq.c:364
+ irq_exit+0x203/0x240 kernel/softirq.c:405
+ exiting_irq+0xe/0x10 ./arch/x86/include/asm/apic.h:638
+ do_IRQ+0x15e/0x1a0 arch/x86/kernel/irq.c:263
+ common_interrupt+0x86/0x86
+
+Fixes: d894ba18d4e4 ("soreuseport: fix ordering for mixed v4/v6 sockets")
+Fixes: d296ba60d8e2 ("soreuseport: Resolve merge conflict for v4/v6 ordering fix")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Alexander Potapenko <glider@google.com>
+Acked-by: Craig Gallek <kraig@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/rculist_nulls.h | 38 --------------------------------------
+ include/net/sock.h | 6 +-----
+ 2 files changed, 1 insertion(+), 43 deletions(-)
+
+--- a/include/linux/rculist_nulls.h
++++ b/include/linux/rculist_nulls.h
+@@ -100,44 +100,6 @@ static inline void hlist_nulls_add_head_
+ }
+
+ /**
+- * hlist_nulls_add_tail_rcu
+- * @n: the element to add to the hash list.
+- * @h: the list to add to.
+- *
+- * Description:
+- * Adds the specified element to the end of the specified hlist_nulls,
+- * while permitting racing traversals. NOTE: tail insertion requires
+- * list traversal.
+- *
+- * The caller must take whatever precautions are necessary
+- * (such as holding appropriate locks) to avoid racing
+- * with another list-mutation primitive, such as hlist_nulls_add_head_rcu()
+- * or hlist_nulls_del_rcu(), running on this same list.
+- * However, it is perfectly legal to run concurrently with
+- * the _rcu list-traversal primitives, such as
+- * hlist_nulls_for_each_entry_rcu(), used to prevent memory-consistency
+- * problems on Alpha CPUs. Regardless of the type of CPU, the
+- * list-traversal primitive must be guarded by rcu_read_lock().
+- */
+-static inline void hlist_nulls_add_tail_rcu(struct hlist_nulls_node *n,
+- struct hlist_nulls_head *h)
+-{
+- struct hlist_nulls_node *i, *last = NULL;
+-
+- for (i = hlist_nulls_first_rcu(h); !is_a_nulls(i);
+- i = hlist_nulls_next_rcu(i))
+- last = i;
+-
+- if (last) {
+- n->next = last->next;
+- n->pprev = &last->next;
+- rcu_assign_pointer(hlist_nulls_next_rcu(last), n);
+- } else {
+- hlist_nulls_add_head_rcu(n, h);
+- }
+-}
+-
+-/**
+ * hlist_nulls_for_each_entry_rcu - iterate over rcu list of given type
+ * @tpos: the type * to use as a loop cursor.
+ * @pos: the &struct hlist_nulls_node to use as a loop cursor.
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -679,11 +679,7 @@ static inline void sk_add_node_rcu(struc
+
+ static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list)
+ {
+- if (IS_ENABLED(CONFIG_IPV6) && sk->sk_reuseport &&
+- sk->sk_family == AF_INET6)
+- hlist_nulls_add_tail_rcu(&sk->sk_nulls_node, list);
+- else
+- hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list);
++ hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list);
+ }
+
+ static inline void sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list)
diff --git a/patches.suse/net-sctp-Always-set-scope_id-in-sctp_inet6_skb_msgna.patch b/patches.suse/net-sctp-Always-set-scope_id-in-sctp_inet6_skb_msgna.patch
new file mode 100644
index 0000000000..238855994c
--- /dev/null
+++ b/patches.suse/net-sctp-Always-set-scope_id-in-sctp_inet6_skb_msgna.patch
@@ -0,0 +1,54 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 Nov 2017 22:17:48 -0600
+Subject: net/sctp: Always set scope_id in sctp_inet6_skb_msgname
+Git-commit: 7c8a61d9ee1df0fb4747879fa67a99614eb62fec
+Patch-mainline: v4.15-rc1
+References: networking-stable-17_11_20
+
+Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
+discovered that in some configurations sctp would leak 4 bytes of
+kernel stack.
+
+Working with his reproducer I discovered that those 4 bytes that
+are leaked is the scope id of an ipv6 address returned by recvmsg.
+
+With a little code inspection and a shrewd guess I discovered that
+sctp_inet6_skb_msgname only initializes the scope_id field for link
+local ipv6 addresses to the interface index the link local address
+pertains to instead of initializing the scope_id field for all ipv6
+addresses.
+
+That is almost reasonable as scope_id's are meaniningful only for link
+local addresses. Set the scope_id in all other cases to 0 which is
+not a valid interface index to make it clear there is nothing useful
+in the scope_id field.
+
+There should be no danger of breaking userspace as the stack leak
+guaranteed that previously meaningless random data was being returned.
+
+Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.")
+History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Reported-by: Alexander Potapenko <glider@google.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/ipv6.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -805,9 +805,10 @@ static void sctp_inet6_skb_msgname(struc
+ addr->v6.sin6_flowinfo = 0;
+ addr->v6.sin6_port = sh->source;
+ addr->v6.sin6_addr = ipv6_hdr(skb)->saddr;
+- if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
++ if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL)
+ addr->v6.sin6_scope_id = sctp_v6_skb_iif(skb);
+- }
++ else
++ addr->v6.sin6_scope_id = 0;
+ }
+
+ *addr_len = sctp_v6_addr_to_user(sctp_sk(skb->sk), addr);
diff --git a/patches.suse/net-stmmac-enable-EEE-in-MII-GMII-or-RGMII-only.patch b/patches.suse/net-stmmac-enable-EEE-in-MII-GMII-or-RGMII-only.patch
new file mode 100644
index 0000000000..26c8c2d6ca
--- /dev/null
+++ b/patches.suse/net-stmmac-enable-EEE-in-MII-GMII-or-RGMII-only.patch
@@ -0,0 +1,43 @@
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Wed, 3 Jan 2018 16:46:29 +0100
+Subject: net: stmmac: enable EEE in MII, GMII or RGMII only
+Git-commit: 879626e3a52630316d817cbda7cec9a5446d1d82
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+Note in the databook - Section 4.4 - EEE :
+" The EEE feature is not supported when the MAC is configured to use the
+TBI, RTBI, SMII, RMII or SGMII single PHY interface. Even if the MAC
+supports multiple PHY interfaces, you should activate the EEE mode only
+when the MAC is operating with GMII, MII, or RGMII interface."
+
+Applying this restriction solves a stability issue observed on Amlogic
+gxl platforms operating with RMII interface and the internal PHY.
+
+Fixes: 83bf79b6bb64 ("stmmac: disable at run-time the EEE if not supported")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Tested-by: Arnaud Patard <arnaud.patard@rtp-net.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -353,9 +353,15 @@ static void stmmac_eee_ctrl_timer(unsign
+ bool stmmac_eee_init(struct stmmac_priv *priv)
+ {
+ struct net_device *ndev = priv->dev;
++ int interface = priv->plat->interface;
+ unsigned long flags;
+ bool ret = false;
+
++ if ((interface != PHY_INTERFACE_MODE_MII) &&
++ (interface != PHY_INTERFACE_MODE_GMII) &&
++ !phy_interface_mode_is_rgmii(interface))
++ goto out;
++
+ /* Using PCS we cannot dial with the phy registers at this stage
+ * so we do not support extra feature like EEE.
+ */
diff --git a/patches.suse/net-systemport-Correct-IPG-length-settings.patch b/patches.suse/net-systemport-Correct-IPG-length-settings.patch
new file mode 100644
index 0000000000..bad3157736
--- /dev/null
+++ b/patches.suse/net-systemport-Correct-IPG-length-settings.patch
@@ -0,0 +1,43 @@
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 2 Nov 2017 16:08:40 -0700
+Subject: net: systemport: Correct IPG length settings
+Git-commit: 93824c80bf47ebe087414b3a40ca0ff9aab7d1fb
+Patch-mainline: v4.14-rc8
+References: networking-stable-17_11_20
+
+Due to a documentation mistake, the IPG length was set to 0x12 while it
+should have been 12 (decimal). This would affect short packet (64B
+typically) performance since the IPG was bigger than necessary.
+
+Fixes: 44a4524c54af ("net: systemport: Add support for SYSTEMPORT Lite")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -1739,15 +1739,17 @@ static inline void bcm_sysport_mask_all_
+
+ static inline void gib_set_pad_extension(struct bcm_sysport_priv *priv)
+ {
+- u32 __maybe_unused reg;
++ u32 reg;
+
+- /* Include Broadcom tag in pad extension */
++ reg = gib_readl(priv, GIB_CONTROL);
++ /* Include Broadcom tag in pad extension and fix up IPG_LENGTH */
+ if (netdev_uses_dsa(priv->netdev)) {
+- reg = gib_readl(priv, GIB_CONTROL);
+ reg &= ~(GIB_PAD_EXTENSION_MASK << GIB_PAD_EXTENSION_SHIFT);
+ reg |= ENET_BRCM_TAG_LEN << GIB_PAD_EXTENSION_SHIFT;
+- gib_writel(priv, reg, GIB_CONTROL);
+ }
++ reg &= ~(GIB_IPG_LEN_MASK << GIB_IPG_LEN_SHIFT);
++ reg |= 12 << GIB_IPG_LEN_SHIFT;
++ gib_writel(priv, reg, GIB_CONTROL);
+ }
+
+ static int bcm_sysport_open(struct net_device *dev)
diff --git a/patches.suse/net-unix-don-t-show-information-about-sockets-from-o.patch b/patches.suse/net-unix-don-t-show-information-about-sockets-from-o.patch
new file mode 100644
index 0000000000..78c1db5e28
--- /dev/null
+++ b/patches.suse/net-unix-don-t-show-information-about-sockets-from-o.patch
@@ -0,0 +1,36 @@
+From: Andrei Vagin <avagin@openvz.org>
+Date: Wed, 25 Oct 2017 10:16:42 -0700
+Subject: net/unix: don't show information about sockets from other namespaces
+Git-commit: 0f5da659d8f1810f44de14acf2c80cd6499623a0
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+socket_diag shows information only about sockets from a namespace where
+a diag socket lives.
+
+But if we request information about one unix socket, the kernel don't
+check that its netns is matched with a diag socket namespace, so any
+user can get information about any unix socket in a system. This looks
+like a bug.
+
+v2: add a Fixes tag
+
+Fixes: 51d7cccf0723 ("net: make sock diag per-namespace")
+Signed-off-by: Andrei Vagin <avagin@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/unix/diag.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -257,6 +257,8 @@ static int unix_diag_get_exact(struct sk
+ err = -ENOENT;
+ if (sk == NULL)
+ goto out_nosk;
++ if (!net_eq(sock_net(sk), net))
++ goto out;
+
+ err = sock_diag_check_cookie(sk, req->udiag_cookie);
+ if (err)
diff --git a/patches.suse/netfilter-ipvs-clear-ipvs_property-flag-when-SKB-net.patch b/patches.suse/netfilter-ipvs-clear-ipvs_property-flag-when-SKB-net.patch
new file mode 100644
index 0000000000..7a3288b711
--- /dev/null
+++ b/patches.suse/netfilter-ipvs-clear-ipvs_property-flag-when-SKB-net.patch
@@ -0,0 +1,51 @@
+From: Ye Yin <hustcat@gmail.com>
+Date: Thu, 26 Oct 2017 16:57:05 +0800
+Subject: netfilter/ipvs: clear ipvs_property flag when SKB net namespace
+ changed
+Git-commit: 2b5ec1a5f9738ee7bf8f5ec0526e75e00362c48f
+Patch-mainline: v4.14
+References: networking-stable-17_11_20
+
+When run ipvs in two different network namespace at the same host, and one
+ipvs transport network traffic to the other network namespace ipvs.
+'ipvs_property' flag will make the second ipvs take no effect. So we should
+clear 'ipvs_property' when SKB network namespace changed.
+
+Fixes: 621e84d6f373 ("dev: introduce skb_scrub_packet()")
+Signed-off-by: Ye Yin <hustcat@gmail.com>
+Signed-off-by: Wei Zhou <chouryzhou@gmail.com>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/skbuff.h | 7 +++++++
+ net/core/skbuff.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3614,6 +3614,13 @@ static inline void nf_reset_trace(struct
+ #endif
+ }
+
++static inline void ipvs_reset(struct sk_buff *skb)
++{
++#if IS_ENABLED(CONFIG_IP_VS)
++ skb->ipvs_property = 0;
++#endif
++}
++
+ /* Note: This doesn't put any conntrack and bridge info in dst. */
+ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src,
+ bool copy)
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4441,6 +4441,7 @@ void skb_scrub_packet(struct sk_buff *sk
+ if (!xnet)
+ return;
+
++ ipvs_reset(skb);
+ skb_orphan(skb);
+ skb->mark = 0;
+ }
diff --git a/patches.suse/netlink-do-not-proceed-if-dump-s-start-errs.patch b/patches.suse/netlink-do-not-proceed-if-dump-s-start-errs.patch
new file mode 100644
index 0000000000..573519cca1
--- /dev/null
+++ b/patches.suse/netlink-do-not-proceed-if-dump-s-start-errs.patch
@@ -0,0 +1,46 @@
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 28 Sep 2017 00:41:44 +0200
+Subject: netlink: do not proceed if dump's start() errs
+Git-commit: fef0035c0f31322d417d1954bba5ab959bf91183
+Patch-mainline: v4.14-rc4
+References: networking-stable-17_10_09
+
+Drivers that use the start method for netlink dumping rely on dumpit not
+being called if start fails. For example, ila_xlat.c allocates memory
+and assigns it to cb->args[0] in its start() function. It might fail to
+do that and return -ENOMEM instead. However, even when returning an
+error, dumpit will be called, which, in the example above, quickly
+dereferences the memory in cb->args[0], which will OOPS the kernel. This
+is but one example of how this goes wrong.
+
+Since start() has always been a function with an int return type, it
+therefore makes sense to use it properly, rather than ignoring it. This
+patch thus returns early and does not call dumpit() when start() fails.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/netlink/af_netlink.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2262,10 +2262,13 @@ int __netlink_dump_start(struct sock *ss
+
+ mutex_unlock(nlk->cb_mutex);
+
++ ret = 0;
+ if (cb->start)
+- cb->start(cb);
++ ret = cb->start(cb);
++
++ if (!ret)
++ ret = netlink_dump(sk);
+
+- ret = netlink_dump(sk);
+ sock_put(sk);
+
+ if (ret)
diff --git a/patches.suse/netlink-do-not-set-cb_running-if-dump-s-start-errs.patch b/patches.suse/netlink-do-not-set-cb_running-if-dump-s-start-errs.patch
new file mode 100644
index 0000000000..bdf5d9cbe4
--- /dev/null
+++ b/patches.suse/netlink-do-not-set-cb_running-if-dump-s-start-errs.patch
@@ -0,0 +1,58 @@
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 9 Oct 2017 14:14:51 +0200
+Subject: netlink: do not set cb_running if dump's start() errs
+Git-commit: 41c87425a1ac9b633e0fcc78eb1f19640c8fb5a0
+Patch-mainline: v4.14-rc5
+References: networking-stable-17_11_14
+
+It turns out that multiple places can call netlink_dump(), which means
+it's still possible to dereference partially initialized values in
+dump() that were the result of a faulty returned start().
+
+This fixes the issue by calling start() _before_ setting cb_running to
+true, so that there's no chance at all of hitting the dump() function
+through any indirect paths.
+
+It also moves the call to start() to be when the mutex is held. This has
+the nice side effect of serializing invocations to start(), which is
+likely desirable anyway. It also prevents any possible other races that
+might come out of this logic.
+
+In testing this with several different pieces of tricky code to trigger
+these issues, this commit fixes all avenues that I'm aware of.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/netlink/af_netlink.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2258,16 +2258,17 @@ int __netlink_dump_start(struct sock *ss
+ cb->min_dump_alloc = control->min_dump_alloc;
+ cb->skb = skb;
+
++ if (cb->start) {
++ ret = cb->start(cb);
++ if (ret)
++ goto error_unlock;
++ }
++
+ nlk->cb_running = true;
+
+ mutex_unlock(nlk->cb_mutex);
+
+- ret = 0;
+- if (cb->start)
+- ret = cb->start(cb);
+-
+- if (!ret)
+- ret = netlink_dump(sk);
++ ret = netlink_dump(sk);
+
+ sock_put(sk);
+
diff --git a/patches.suse/netlink-put-module-reference-if-dump-start-fails.patch b/patches.suse/netlink-put-module-reference-if-dump-start-fails.patch
new file mode 100644
index 0000000000..15c4b2ecc6
--- /dev/null
+++ b/patches.suse/netlink-put-module-reference-if-dump-start-fails.patch
@@ -0,0 +1,45 @@
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 21 Feb 2018 04:41:59 +0100
+Subject: netlink: put module reference if dump start fails
+Git-commit: b87b6194be631c94785fe93398651e804ed43e28
+Patch-mainline: v4.16-rc3
+References: git-fixes
+
+Before, if cb->start() failed, the module reference would never be put,
+because cb->cb_running is intentionally false at this point. Users are
+generally annoyed by this because they can no longer unload modules that
+leak references. Also, it may be possible to tediously wrap a reference
+counter back to zero, especially since module.c still uses atomic_inc
+instead of refcount_inc.
+
+This patch expands the error path to simply call module_put if
+cb->start() fails.
+
+Fixes: 41c87425a1ac ("netlink: do not set cb_running if dump's start() errs")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/netlink/af_netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2268,7 +2268,7 @@ int __netlink_dump_start(struct sock *ss
+ if (cb->start) {
+ ret = cb->start(cb);
+ if (ret)
+- goto error_unlock;
++ goto error_put;
+ }
+
+ nlk->cb_running = true;
+@@ -2288,6 +2288,8 @@ int __netlink_dump_start(struct sock *ss
+ */
+ return -EINTR;
+
++error_put:
++ module_put(control->module);
+ error_unlock:
+ sock_put(sk);
+ mutex_unlock(nlk->cb_mutex);
diff --git a/patches.suse/ppp-fix-race-in-ppp-device-destruction.patch b/patches.suse/ppp-fix-race-in-ppp-device-destruction.patch
new file mode 100644
index 0000000000..9c9b48c11d
--- /dev/null
+++ b/patches.suse/ppp-fix-race-in-ppp-device-destruction.patch
@@ -0,0 +1,110 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri, 6 Oct 2017 17:05:49 +0200
+Subject: ppp: fix race in ppp device destruction
+Git-commit: 6151b8b37b119e8e3a8401b080d532520c95faf4
+Patch-mainline: v4.14-rc5
+References: networking-stable-17_11_14
+
+ppp_release() tries to ensure that netdevices are unregistered before
+decrementing the unit refcount and running ppp_destroy_interface().
+
+This is all fine as long as the the device is unregistered by
+ppp_release(): the unregister_netdevice() call, followed by
+rtnl_unlock(), guarantee that the unregistration process completes
+before rtnl_unlock() returns.
+
+However, the device may be unregistered by other means (like
+ppp_nl_dellink()). If this happens right before ppp_release() calling
+rtnl_lock(), then ppp_release() has to wait for the concurrent
+unregistration code to release the lock.
+But rtnl_unlock() releases the lock before completing the device
+unregistration process. This allows ppp_release() to proceed and
+eventually call ppp_destroy_interface() before the unregistration
+process completes. Calling free_netdev() on this partially unregistered
+device will BUG():
+
+ ------------[ cut here ]------------
+ kernel BUG at net/core/dev.c:8141!
+ invalid opcode: 0000 [#1] SMP
+
+ CPU: 1 PID: 1557 Comm: pppd Not tainted 4.14.0-rc2+ #4
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014
+
+ Call Trace:
+ ppp_destroy_interface+0xd8/0xe0 [ppp_generic]
+ ppp_disconnect_channel+0xda/0x110 [ppp_generic]
+ ppp_unregister_channel+0x5e/0x110 [ppp_generic]
+ pppox_unbind_sock+0x23/0x30 [pppox]
+ pppoe_connect+0x130/0x440 [pppoe]
+ SYSC_connect+0x98/0x110
+ ? do_fcntl+0x2c0/0x5d0
+ SyS_connect+0xe/0x10
+ entry_SYSCALL_64_fastpath+0x1a/0xa5
+
+ RIP: free_netdev+0x107/0x110 RSP: ffffc28a40573d88
+ ---[ end trace ed294ff0cc40eeff ]---
+
+We could set the ->needs_free_netdev flag on PPP devices and move the
+ppp_destroy_interface() logic in the ->priv_destructor() callback. But
+that'd be quite intrusive as we'd first need to unlink from the other
+channels and units that depend on the device (the ones that used the
+PPPIOCCONNECT and PPPIOCATTACH ioctls).
+
+Instead, we can just let the netdevice hold a reference on its
+ppp_file. This reference is dropped in ->priv_destructor(), at the very
+end of the unregistration process, so that neither ppp_release() nor
+ppp_disconnect_channel() can call ppp_destroy_interface() in the interim.
+
+Reported-by: Beniamino Galvani <bgalvani@redhat.com>
+Fixes: 8cb775bc0a34 ("ppp: fix device unregistration upon netns deletion")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ppp/ppp_generic.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1338,7 +1338,17 @@ ppp_get_stats64(struct net_device *dev,
+
+ static int ppp_dev_init(struct net_device *dev)
+ {
++ struct ppp *ppp;
++
+ netdev_lockdep_set_classes(dev);
++
++ ppp = netdev_priv(dev);
++ /* Let the netdevice take a reference on the ppp file. This ensures
++ * that ppp_destroy_interface() won't run before the device gets
++ * unregistered.
++ */
++ atomic_inc(&ppp->file.refcnt);
++
+ return 0;
+ }
+
+@@ -1361,6 +1371,15 @@ static void ppp_dev_uninit(struct net_de
+ wake_up_interruptible(&ppp->file.rwait);
+ }
+
++static void ppp_dev_priv_destructor(struct net_device *dev)
++{
++ struct ppp *ppp;
++
++ ppp = netdev_priv(dev);
++ if (atomic_dec_and_test(&ppp->file.refcnt))
++ ppp_destroy_interface(ppp);
++}
++
+ static const struct net_device_ops ppp_netdev_ops = {
+ .ndo_init = ppp_dev_init,
+ .ndo_uninit = ppp_dev_uninit,
+@@ -1386,6 +1405,7 @@ static void ppp_setup(struct net_device
+ dev->tx_queue_len = 3;
+ dev->type = ARPHRD_PPP;
+ dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
++ dev->priv_destructor = ppp_dev_priv_destructor;
+ netif_keep_dst(dev);
+ }
+
diff --git a/patches.suse/ptr_ring-add-barriers.patch b/patches.suse/ptr_ring-add-barriers.patch
new file mode 100644
index 0000000000..85abd13273
--- /dev/null
+++ b/patches.suse/ptr_ring-add-barriers.patch
@@ -0,0 +1,61 @@
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Tue, 5 Dec 2017 21:29:37 +0200
+Subject: ptr_ring: add barriers
+Git-commit: a8ceb5dbfde1092b466936bca0ff3be127ecf38e
+Patch-mainline: v4.15-rc4
+References: networking-stable-17_12_31
+
+Users of ptr_ring expect that it's safe to give the
+data structure a pointer and have it be available
+to consumers, but that actually requires an smb_wmb
+or a stronger barrier.
+
+In absence of such barriers and on architectures that reorder writes,
+consumer might read an un=initialized value from an skb pointer stored
+in the skb array. This was observed causing crashes.
+
+To fix, add memory barriers. The barrier we use is a wmb, the
+assumption being that producers do not need to read the value so we do
+not need to order these reads.
+
+Reported-by: George Cherian <george.cherian@cavium.com>
+Suggested-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/ptr_ring.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/include/linux/ptr_ring.h
++++ b/include/linux/ptr_ring.h
+@@ -101,12 +101,18 @@ static inline bool ptr_ring_full_bh(stru
+
+ /* Note: callers invoking this in a loop must use a compiler barrier,
+ * for example cpu_relax(). Callers must hold producer_lock.
++ * Callers are responsible for making sure pointer that is being queued
++ * points to a valid data.
+ */
+ static inline int __ptr_ring_produce(struct ptr_ring *r, void *ptr)
+ {
+ if (unlikely(!r->size) || r->queue[r->producer])
+ return -ENOSPC;
+
++ /* Make sure the pointer we are storing points to a valid data. */
++ /* Pairs with smp_read_barrier_depends in __ptr_ring_consume. */
++ smp_wmb();
++
+ r->queue[r->producer++] = ptr;
+ if (unlikely(r->producer >= r->size))
+ r->producer = 0;
+@@ -275,6 +281,9 @@ static inline void *__ptr_ring_consume(s
+ if (ptr)
+ __ptr_ring_discard_one(r);
+
++ /* Make sure anyone accessing data through the pointer is up to date. */
++ /* Pairs with smp_wmb in __ptr_ring_produce. */
++ smp_read_barrier_depends();
+ return ptr;
+ }
+
diff --git a/patches.suse/qmi_wwan-Add-missing-skb_reset_mac_header-call.patch b/patches.suse/qmi_wwan-Add-missing-skb_reset_mac_header-call.patch
new file mode 100644
index 0000000000..2c4c2c2eba
--- /dev/null
+++ b/patches.suse/qmi_wwan-Add-missing-skb_reset_mac_header-call.patch
@@ -0,0 +1,79 @@
+From: Kristian Evensen <kristian.evensen@gmail.com>
+Date: Tue, 7 Nov 2017 13:47:56 +0100
+Subject: qmi_wwan: Add missing skb_reset_mac_header-call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: 0de0add10e587effa880c741c9413c874f16be91
+Patch-mainline: v4.14
+References: networking-stable-17_11_20
+
+When we receive a packet on a QMI device in raw IP mode, we should call
+skb_reset_mac_header() to ensure that skb->mac_header contains a valid
+offset in the packet. While it shouldn't really matter, the packets have
+no MAC header and the interface is configured as-such, it seems certain
+parts of the network stack expects a "good" value in skb->mac_header.
+
+Without the skb_reset_mac_header() call added in this patch, for example
+shaping traffic (using tc) triggers the following oops on the first
+received packet:
+
+[ 303.642957] skbuff: skb_under_panic: text:8f137918 len:177 put:67 head:8e4b0f00 data:8e4b0eff tail:0x8e4b0fb0 end:0x8e4b1520 dev:wwan0
+[ 303.655045] Kernel bug detected[#1]:
+[ 303.658622] CPU: 1 PID: 1002 Comm: logd Not tainted 4.9.58 #0
+[ 303.664339] task: 8fdf05e0 task.stack: 8f15c000
+[ 303.668844] $ 0 : 00000000 00000001 0000007a 00000000
+[ 303.674062] $ 4 : 8149a2fc 8149a2fc 8149ce20 00000000
+[ 303.679284] $ 8 : 00000030 3878303a 31623465 20303235
+[ 303.684510] $12 : ded731e3 2626a277 00000000 03bd0000
+[ 303.689747] $16 : 8ef62b40 00000043 8f137918 804db5fc
+[ 303.694978] $20 : 00000001 00000004 8fc13800 00000003
+[ 303.700215] $24 : 00000001 8024ab10
+[ 303.705442] $28 : 8f15c000 8fc19cf0 00000043 802cc920
+[ 303.710664] Hi : 00000000
+[ 303.713533] Lo : 74e58000
+[ 303.716436] epc : 802cc920 skb_panic+0x58/0x5c
+[ 303.721046] ra : 802cc920 skb_panic+0x58/0x5c
+[ 303.725639] Status: 11007c03 KERNEL EXL IE
+[ 303.729823] Cause : 50800024 (ExcCode 09)
+[ 303.733817] PrId : 0001992f (MIPS 1004Kc)
+[ 303.737892] Modules linked in: rt2800pci rt2800mmio rt2800lib qcserial ppp_async option usb_wwan rt2x00pci rt2x00mmio rt2x00lib rndis_host qmi_wwan ppp_generic nf_nat_pptp nf_conntrack_pptp nf_conntrack_ipv6 mt76x2i
+Process logd (pid: 1002, threadinfo=8f15c000, task=8fdf05e0, tls=77b3eee4)
+[ 303.962509] Stack : 00000000 80408990 8f137918 000000b1 00000043 8e4b0f00 8e4b0eff 8e4b0fb0
+[ 303.970871] 8e4b1520 8fec1800 00000043 802cd2a4 6e000045 00000043 00000000 8ef62000
+[ 303.979219] 8eef5d00 8ef62b40 8fea7300 8f137918 00000000 00000000 0002bb01 793e5664
+[ 303.987568] 8ef08884 00000001 8fea7300 00000002 8fc19e80 8eef5d00 00000006 00000003
+[ 303.995934] 00000000 8030ba90 00000003 77ab3fd0 8149dc80 8004d1bc 8f15c000 8f383700
+[ 304.004324] ...
+[ 304.006767] Call Trace:
+[ 304.009241] [<802cc920>] skb_panic+0x58/0x5c
+[ 304.013504] [<802cd2a4>] skb_push+0x78/0x90
+[ 304.017783] [<8f137918>] 0x8f137918
+[ 304.021269] Code: 00602825 0c02a3b4 24842888 <000c000d> 8c870060 8c8200a0 0007382b 00070336 8c88005c
+[ 304.031034]
+[ 304.032805] ---[ end trace b778c482b3f0bda9 ]---
+[ 304.041384] Kernel panic - not syncing: Fatal exception in interrupt
+[ 304.051975] Rebooting in 3 seconds..
+
+While the oops is for a 4.9-kernel, I was able to trigger the same oops with
+net-next as of yesterday.
+
+Fixes: 32f7adf633b9 ("net: qmi_wwan: support "raw IP" mode")
+Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -499,6 +499,7 @@ static int qmi_wwan_rx_fixup(struct usbn
+ return 1;
+ }
+ if (rawip) {
++ skb_reset_mac_header(skb);
+ skb->dev = dev->net; /* normally set by eth_type_trans */
+ skb->protocol = proto;
+ return 1;
diff --git a/patches.suse/sched-numa-Stagger-NUMA-balancing-scan-periods-for-new-threads.patch b/patches.suse/sched-numa-Stagger-NUMA-balancing-scan-periods-for-new-threads.patch
index a1a1c711f1..f7f808695c 100644
--- a/patches.suse/sched-numa-Stagger-NUMA-balancing-scan-periods-for-new-threads.patch
+++ b/patches.suse/sched-numa-Stagger-NUMA-balancing-scan-periods-for-new-threads.patch
@@ -4,7 +4,8 @@ Subject: [PATCH] sched/numa: Stagger NUMA balancing scan periods for new
threads
References: Automatic NUMA Balancing (fate#315482)
-Patch-mainline: No, expected 4.18
+Git-commit: 1378447598432513d94ce2c607c412dc4f260f31
+Patch-mainline: 4.18
Threads share an address space and each can change the protections of the
same address space to trap NUMA faults. This is redundant and potentially
diff --git a/patches.suse/sctp-do-not-retransmit-upon-FragNeeded-if-PMTU-disco.patch b/patches.suse/sctp-do-not-retransmit-upon-FragNeeded-if-PMTU-disco.patch
new file mode 100644
index 0000000000..8e079f942e
--- /dev/null
+++ b/patches.suse/sctp-do-not-retransmit-upon-FragNeeded-if-PMTU-disco.patch
@@ -0,0 +1,62 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri, 5 Jan 2018 11:17:17 -0200
+Subject: sctp: do not retransmit upon FragNeeded if PMTU discovery is disabled
+Git-commit: cc35c3d1edf7a8373a1a5daa80a912dec96a9cd5
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+Currently, if PMTU discovery is disabled on a given transport, but the
+configured value is higher than the actual PMTU, it is likely that we
+will get some icmp Frag Needed. The issue is, if PMTU discovery is
+disabled, we won't update the information and will issue a
+retransmission immediately, which may very well trigger another ICMP,
+and another retransmission, leading to a loop.
+
+The fix is to simply not trigger immediate retransmissions if PMTU
+discovery is disabled on the given transport.
+
+Changes from v2:
+- updated stale comment, noticed by Xin Long
+
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/input.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -399,20 +399,20 @@ void sctp_icmp_frag_needed(struct sock *
+ return;
+ }
+
+- if (t->param_flags & SPP_PMTUD_ENABLE) {
+- /* Update transports view of the MTU */
+- sctp_transport_update_pmtu(t, pmtu);
++ if (!(t->param_flags & SPP_PMTUD_ENABLE))
++ /* We can't allow retransmitting in such case, as the
++ * retransmission would be sized just as before, and thus we
++ * would get another icmp, and retransmit again.
++ */
++ return;
+
+- /* Update association pmtu. */
+- sctp_assoc_sync_pmtu(asoc);
+- }
++ /* Update transports view of the MTU */
++ sctp_transport_update_pmtu(t, pmtu);
++
++ /* Update association pmtu. */
++ sctp_assoc_sync_pmtu(asoc);
+
+- /* Retransmit with the new pmtu setting.
+- * Normally, if PMTU discovery is disabled, an ICMP Fragmentation
+- * Needed will never be sent, but if a message was sent before
+- * PMTU discovery was disabled that was larger than the PMTU, it
+- * would not be fragmented, so it must be re-transmitted fragmented.
+- */
++ /* Retransmit with the new pmtu setting. */
+ sctp_retransmit(&asoc->outqueue, t, SCTP_RTXR_PMTUD);
+ }
+
diff --git a/patches.suse/sctp-fix-the-handling-of-ICMP-Frag-Needed-for-too-sm.patch b/patches.suse/sctp-fix-the-handling-of-ICMP-Frag-Needed-for-too-sm.patch
new file mode 100644
index 0000000000..7021e0a2f9
--- /dev/null
+++ b/patches.suse/sctp-fix-the-handling-of-ICMP-Frag-Needed-for-too-sm.patch
@@ -0,0 +1,129 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri, 5 Jan 2018 11:17:18 -0200
+Subject: sctp: fix the handling of ICMP Frag Needed for too small MTUs
+Git-commit: b6c5734db07079c9410147b32407f2366d584e6c
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+syzbot reported a hang involving SCTP, on which it kept flooding dmesg
+with the message:
+[ 246.742374] sctp: sctp_transport_update_pmtu: Reported pmtu 508 too
+low, using default minimum of 512
+
+That happened because whenever SCTP hits an ICMP Frag Needed, it tries
+to adjust to the new MTU and triggers an immediate retransmission. But
+it didn't consider the fact that MTUs smaller than the SCTP minimum MTU
+allowed (512) would not cause the PMTU to change, and issued the
+retransmission anyway (thus leading to another ICMP Frag Needed, and so
+on).
+
+As IPv4 (ip_rt_min_pmtu=556) and IPv6 (IPV6_MIN_MTU=1280) minimum MTU
+are higher than that, sctp_transport_update_pmtu() is changed to
+re-fetch the PMTU that got set after our request, and with that, detect
+if there was an actual change or not.
+
+The fix, thus, skips the immediate retransmission if the received ICMP
+resulted in no change, in the hope that SCTP will select another path.
+
+Note: The value being used for the minimum MTU (512,
+SCTP_DEFAULT_MINSEGMENT) is not right and instead it should be (576,
+SCTP_MIN_PMTU), but such change belongs to another patch.
+
+Changes from v1:
+- do not disable PMTU discovery, in the light of commit
+06ad391919b2 ("[SCTP] Don't disable PMTU discovery when mtu is small")
+and as suggested by Xin Long.
+- changed the way to break the rtx loop by detecting if the icmp
+ resulted in a change or not
+Changes from v2:
+none
+
+See-also: https://lkml.org/lkml/2017/12/22/811
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/sctp/structs.h | 2 +-
+ net/sctp/input.c | 8 ++++++--
+ net/sctp/transport.c | 29 +++++++++++++++++++----------
+ 3 files changed, 26 insertions(+), 13 deletions(-)
+
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -953,7 +953,7 @@ void sctp_transport_burst_limited(struct
+ void sctp_transport_burst_reset(struct sctp_transport *);
+ unsigned long sctp_transport_timeout(struct sctp_transport *);
+ void sctp_transport_reset(struct sctp_transport *t);
+-void sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu);
++bool sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu);
+ void sctp_transport_immediate_rtx(struct sctp_transport *);
+ void sctp_transport_dst_release(struct sctp_transport *t);
+ void sctp_transport_dst_confirm(struct sctp_transport *t);
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -406,8 +406,12 @@ void sctp_icmp_frag_needed(struct sock *
+ */
+ return;
+
+- /* Update transports view of the MTU */
+- sctp_transport_update_pmtu(t, pmtu);
++ /* Update transports view of the MTU. Return if no update was needed.
++ * If an update wasn't needed/possible, it also doesn't make sense to
++ * try to retransmit now.
++ */
++ if (!sctp_transport_update_pmtu(t, pmtu))
++ return;
+
+ /* Update association pmtu. */
+ sctp_assoc_sync_pmtu(asoc);
+--- a/net/sctp/transport.c
++++ b/net/sctp/transport.c
+@@ -251,28 +251,37 @@ void sctp_transport_pmtu(struct sctp_tra
+ transport->pathmtu = SCTP_DEFAULT_MAXSEGMENT;
+ }
+
+-void sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu)
++bool sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu)
+ {
+ struct dst_entry *dst = sctp_transport_dst_check(t);
++ bool change = true;
+
+ if (unlikely(pmtu < SCTP_DEFAULT_MINSEGMENT)) {
+- pr_warn("%s: Reported pmtu %d too low, using default minimum of %d\n",
+- __func__, pmtu, SCTP_DEFAULT_MINSEGMENT);
+- /* Use default minimum segment size and disable
+- * pmtu discovery on this transport.
+- */
+- t->pathmtu = SCTP_DEFAULT_MINSEGMENT;
+- } else {
+- t->pathmtu = pmtu;
++ pr_warn_ratelimited("%s: Reported pmtu %d too low, using default minimum of %d\n",
++ __func__, pmtu, SCTP_DEFAULT_MINSEGMENT);
++ /* Use default minimum segment instead */
++ pmtu = SCTP_DEFAULT_MINSEGMENT;
+ }
++ pmtu = SCTP_TRUNC4(pmtu);
+
+ if (dst) {
+ dst->ops->update_pmtu(dst, t->asoc->base.sk, NULL, pmtu);
+ dst = sctp_transport_dst_check(t);
+ }
+
+- if (!dst)
++ if (!dst) {
+ t->af_specific->get_dst(t, &t->saddr, &t->fl, t->asoc->base.sk);
++ dst = t->dst;
++ }
++
++ if (dst) {
++ /* Re-fetch, as under layers may have a higher minimum size */
++ pmtu = SCTP_TRUNC4(dst_mtu(dst));
++ change = t->pathmtu != pmtu;
++ }
++ t->pathmtu = pmtu;
++
++ return change;
+ }
+
+ /* Caches the dst entry and source address for a transport's destination
diff --git a/patches.suse/sctp-full-support-for-ipv6-ip_nonlocal_bind-IP_FREEB.patch b/patches.suse/sctp-full-support-for-ipv6-ip_nonlocal_bind-IP_FREEB.patch
new file mode 100644
index 0000000000..4a43d96dc8
--- /dev/null
+++ b/patches.suse/sctp-full-support-for-ipv6-ip_nonlocal_bind-IP_FREEB.patch
@@ -0,0 +1,52 @@
+From: Laszlo Toth <laszlth@gmail.com>
+Date: Mon, 23 Oct 2017 19:19:33 +0200
+Subject: sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND
+Git-commit: b71d21c274eff20a9db8158882b545b141b73ab8
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+Commit 9b9742022888 ("sctp: support ipv6 nonlocal bind")
+introduced support for the above options as v4 sctp did,
+so patched sctp_v6_available().
+
+In the v4 implementation it's enough, because
+sctp_inet_bind_verify() just returns with sctp_v4_available().
+However sctp_inet6_bind_verify() has an extra check before that
+for link-local scope_id, which won't respect the above options.
+
+Added the checks before calling ipv6_chk_addr(), but
+not before the validation of scope_id.
+
+before (w/ both options):
+ ./v6test fe80::10 sctp
+ bind failed, errno: 99 (Cannot assign requested address)
+ ./v6test fe80::10 tcp
+ bind success, errno: 0 (Success)
+
+after (w/ both options):
+ ./v6test fe80::10 sctp
+ bind success, errno: 0 (Success)
+
+Signed-off-by: Laszlo Toth <laszlth@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/ipv6.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -880,8 +880,10 @@ static int sctp_inet6_bind_verify(struct
+ net = sock_net(&opt->inet.sk);
+ rcu_read_lock();
+ dev = dev_get_by_index_rcu(net, addr->v6.sin6_scope_id);
+- if (!dev ||
+- !ipv6_chk_addr(net, &addr->v6.sin6_addr, dev, 0)) {
++ if (!dev || !(opt->inet.freebind ||
++ net->ipv6.sysctl.ip_nonlocal_bind ||
++ ipv6_chk_addr(net, &addr->v6.sin6_addr,
++ dev, 0))) {
+ rcu_read_unlock();
+ return 0;
+ }
diff --git a/patches.suse/sctp-potential-read-out-of-bounds-in-sctp_ulpevent_t.patch b/patches.suse/sctp-potential-read-out-of-bounds-in-sctp_ulpevent_t.patch
new file mode 100644
index 0000000000..db47802b0d
--- /dev/null
+++ b/patches.suse/sctp-potential-read-out-of-bounds-in-sctp_ulpevent_t.patch
@@ -0,0 +1,43 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 14 Sep 2017 02:00:54 +0300
+Subject: sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
+Git-commit: fa5f7b51fc3080c2b195fa87c7eca7c05e56f673
+Patch-mainline: v4.14-rc1
+References: networking-stable-17_10_09
+
+This code causes a static checker warning because Smatch doesn't trust
+anything that comes from skb->data. I've reviewed this code and I do
+think skb->data can be controlled by the user here.
+
+The sctp_event_subscribe struct has 13 __u8 fields and we want to see
+if ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range.
+We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read
+either before the start of the struct or after the end.
+
+This is a very old bug and it's surprising that it would go undetected
+for so long but my theory is that it just doesn't have a big impact so
+it would be hard to notice.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/sctp/ulpevent.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/net/sctp/ulpevent.h
++++ b/include/net/sctp/ulpevent.h
+@@ -153,8 +153,12 @@ __u16 sctp_ulpevent_get_notification_typ
+ static inline int sctp_ulpevent_type_enabled(__u16 sn_type,
+ struct sctp_event_subscribe *mask)
+ {
++ int offset = sn_type - SCTP_SN_TYPE_BASE;
+ char *amask = (char *) mask;
+- return amask[sn_type - SCTP_SN_TYPE_BASE];
++
++ if (offset >= sizeof(struct sctp_event_subscribe))
++ return 0;
++ return amask[offset];
+ }
+
+ /* Given an event subscription, is this event enabled? */
diff --git a/patches.suse/sctp-reset-owner-sk-for-data-chunks-on-out-queues-wh.patch b/patches.suse/sctp-reset-owner-sk-for-data-chunks-on-out-queues-wh.patch
new file mode 100644
index 0000000000..e3e50cd360
--- /dev/null
+++ b/patches.suse/sctp-reset-owner-sk-for-data-chunks-on-out-queues-wh.patch
@@ -0,0 +1,98 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 28 Oct 2017 02:13:29 +0800
+Subject: sctp: reset owner sk for data chunks on out queues when migrating a
+ sock
+Git-commit: d04adf1b355181e737b6b1e23d801b07f0b7c4c0
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+Now when migrating sock to another one in sctp_sock_migrate(), it only
+resets owner sk for the data in receive queues, not the chunks on out
+queues.
+
+It would cause that data chunks length on the sock is not consistent
+with sk sk_wmem_alloc. When closing the sock or freeing these chunks,
+the old sk would never be freed, and the new sock may crash due to
+the overflow sk_wmem_alloc.
+
+syzbot found this issue with this series:
+
+ r0 = socket$inet_sctp()
+ sendto$inet(r0)
+ listen(r0)
+ accept4(r0)
+ close(r0)
+
+Although listen() should have returned error when one TCP-style socket
+is in connecting (I may fix this one in another patch), it could also
+be reproduced by peeling off an assoc.
+
+This issue is there since very beginning.
+
+This patch is to reset owner sk for the chunks on out queues so that
+sk sk_wmem_alloc has correct value after accept one sock or peeloff
+an assoc to one sock.
+
+Note that when resetting owner sk for chunks on outqueue, it has to
+sctp_clear_owner_w/skb_orphan chunks before changing assoc->base.sk
+first and then sctp_set_owner_w them after changing assoc->base.sk,
+due to that sctp_wfree and it's callees are using assoc->base.sk.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/socket.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -169,6 +169,36 @@ static inline void sctp_set_owner_w(stru
+ sk_mem_charge(sk, chunk->skb->truesize);
+ }
+
++static void sctp_clear_owner_w(struct sctp_chunk *chunk)
++{
++ skb_orphan(chunk->skb);
++}
++
++static void sctp_for_each_tx_datachunk(struct sctp_association *asoc,
++ void (*cb)(struct sctp_chunk *))
++
++{
++ struct sctp_outq *q = &asoc->outqueue;
++ struct sctp_transport *t;
++ struct sctp_chunk *chunk;
++
++ list_for_each_entry(t, &asoc->peer.transport_addr_list, transports)
++ list_for_each_entry(chunk, &t->transmitted, transmitted_list)
++ cb(chunk);
++
++ list_for_each_entry(chunk, &q->retransmit, list)
++ cb(chunk);
++
++ list_for_each_entry(chunk, &q->sacked, list)
++ cb(chunk);
++
++ list_for_each_entry(chunk, &q->abandoned, list)
++ cb(chunk);
++
++ list_for_each_entry(chunk, &q->out_chunk_list, list)
++ cb(chunk);
++}
++
+ /* Verify that this is a valid address. */
+ static inline int sctp_verify_addr(struct sock *sk, union sctp_addr *addr,
+ int len)
+@@ -8152,7 +8182,9 @@ static void sctp_sock_migrate(struct soc
+ * paths won't try to lock it and then oldsk.
+ */
+ lock_sock_nested(newsk, SINGLE_DEPTH_NESTING);
++ sctp_for_each_tx_datachunk(assoc, sctp_clear_owner_w);
+ sctp_assoc_migrate(assoc, newsk);
++ sctp_for_each_tx_datachunk(assoc, sctp_set_owner_w);
+
+ /* If the association on the newsk is already closed before accept()
+ * is called, set RCV_SHUTDOWN flag.
diff --git a/patches.suse/sctp-use-right-member-as-the-param-of-list_for_each_.patch b/patches.suse/sctp-use-right-member-as-the-param-of-list_for_each_.patch
new file mode 100644
index 0000000000..8fc187cd39
--- /dev/null
+++ b/patches.suse/sctp-use-right-member-as-the-param-of-list_for_each_.patch
@@ -0,0 +1,47 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 26 Nov 2017 20:56:07 +0800
+Subject: sctp: use right member as the param of list_for_each_entry
+Git-commit: a8dd397903a6e57157f6265911f7d35681364427
+Patch-mainline: v4.15-rc2
+References: git-fixes
+
+Commit d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues
+when migrating a sock") made a mistake that using 'list' as the param of
+list_for_each_entry to traverse the retransmit, sacked and abandoned
+queues, while chunks are using 'transmitted_list' to link into these
+queues.
+
+It could cause NULL dereference panic if there are chunks in any of these
+queues when peeling off one asoc.
+
+So use the chunk member 'transmitted_list' instead in this patch.
+
+Fixes: d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues when migrating a sock")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -186,13 +186,13 @@ static void sctp_for_each_tx_datachunk(s
+ list_for_each_entry(chunk, &t->transmitted, transmitted_list)
+ cb(chunk);
+
+- list_for_each_entry(chunk, &q->retransmit, list)
++ list_for_each_entry(chunk, &q->retransmit, transmitted_list)
+ cb(chunk);
+
+- list_for_each_entry(chunk, &q->sacked, list)
++ list_for_each_entry(chunk, &q->sacked, transmitted_list)
+ cb(chunk);
+
+- list_for_each_entry(chunk, &q->abandoned, list)
++ list_for_each_entry(chunk, &q->abandoned, transmitted_list)
+ cb(chunk);
+
+ list_for_each_entry(chunk, &q->out_chunk_list, list)
diff --git a/patches.suse/sh_eth-fix-SH7757-GEther-initialization.patch b/patches.suse/sh_eth-fix-SH7757-GEther-initialization.patch
new file mode 100644
index 0000000000..b697ef4a4d
--- /dev/null
+++ b/patches.suse/sh_eth-fix-SH7757-GEther-initialization.patch
@@ -0,0 +1,48 @@
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Thu, 4 Jan 2018 21:06:49 +0300
+Subject: sh_eth: fix SH7757 GEther initialization
+Git-commit: 5133550296d43236439494aa955bfb765a89f615
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+Renesas SH7757 has 2 Fast and 2 Gigabit Ether controllers, while the
+'sh_eth' driver can only reset and initialize TSU of the first controller
+pair. Shimoda-san tried to solve that adding the 'needs_init' member to the
+'struct sh_eth_plat_data', however the platform code still never sets this
+flag. I think that we can infer this information from the 'devno' variable
+(set to 'platform_device::id') and reset/init the Ether controller pair
+only for an even 'devno'; therefore 'sh_eth_plat_data::needs_init' can be
+removed...
+
+Fixes: 150647fb2c31 ("net: sh_eth: change the condition of initialization")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
+ include/linux/sh_eth.h | 1 -
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -3221,8 +3221,8 @@ static int sh_eth_drv_probe(struct platf
+ ndev->features = NETIF_F_HW_VLAN_CTAG_FILTER;
+ }
+
+- /* initialize first or needed device */
+- if (!devno || pd->needs_init) {
++ /* Need to init only the first port of the two sharing a TSU */
++ if (devno % 2 == 0) {
+ if (mdp->cd->chip_reset)
+ mdp->cd->chip_reset(ndev);
+
+--- a/include/linux/sh_eth.h
++++ b/include/linux/sh_eth.h
+@@ -16,7 +16,6 @@ struct sh_eth_plat_data {
+ unsigned char mac_addr[ETH_ALEN];
+ unsigned no_ether_link:1;
+ unsigned ether_link_active_low:1;
+- unsigned needs_init:1;
+ };
+
+ #endif
diff --git a/patches.suse/sh_eth-fix-TSU-resource-handling.patch b/patches.suse/sh_eth-fix-TSU-resource-handling.patch
new file mode 100644
index 0000000000..567b24fd44
--- /dev/null
+++ b/patches.suse/sh_eth-fix-TSU-resource-handling.patch
@@ -0,0 +1,60 @@
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Wed, 3 Jan 2018 20:09:49 +0300
+Subject: sh_eth: fix TSU resource handling
+Git-commit: dfe8266b8dd10e12a731c985b725fcf7f0e537f0
+Patch-mainline: v4.15-rc8
+References: networking-stable-18_01_12
+
+When switching the driver to the managed device API, I managed to break
+the case of a dual Ether devices sharing a single TSU: the 2nd Ether port
+wouldn't probe. Iwamatsu-san has tried to fix this but his patch was buggy
+and he then dropped the ball...
+
+The solution is to limit calling devm_request_mem_region() to the first
+of the two ports sharing the same TSU, so devm_ioremap_resource() can't
+be used anymore for the TSU resource...
+
+Fixes: d5e07e69218f ("sh_eth: use managed device API")
+Reported-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -3192,10 +3192,29 @@ static int sh_eth_drv_probe(struct platf
+ /* ioremap the TSU registers */
+ if (mdp->cd->tsu) {
+ struct resource *rtsu;
++
+ rtsu = platform_get_resource(pdev, IORESOURCE_MEM, 1);
+- mdp->tsu_addr = devm_ioremap_resource(&pdev->dev, rtsu);
+- if (IS_ERR(mdp->tsu_addr)) {
+- ret = PTR_ERR(mdp->tsu_addr);
++ if (!rtsu) {
++ dev_err(&pdev->dev, "no TSU resource\n");
++ ret = -ENODEV;
++ goto out_release;
++ }
++ /* We can only request the TSU region for the first port
++ * of the two sharing this TSU for the probe to succeed...
++ */
++ if (devno % 2 == 0 &&
++ !devm_request_mem_region(&pdev->dev, rtsu->start,
++ resource_size(rtsu),
++ dev_name(&pdev->dev))) {
++ dev_err(&pdev->dev, "can't request TSU resource.\n");
++ ret = -EBUSY;
++ goto out_release;
++ }
++ mdp->tsu_addr = devm_ioremap(&pdev->dev, rtsu->start,
++ resource_size(rtsu));
++ if (!mdp->tsu_addr) {
++ dev_err(&pdev->dev, "TSU region ioremap() failed.\n");
++ ret = -ENOMEM;
+ goto out_release;
+ }
+ mdp->port = devno % 2;
diff --git a/patches.suse/sit-update-frag_off-info.patch b/patches.suse/sit-update-frag_off-info.patch
new file mode 100644
index 0000000000..b1c57d40d7
--- /dev/null
+++ b/patches.suse/sit-update-frag_off-info.patch
@@ -0,0 +1,29 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 30 Nov 2017 10:41:14 +0800
+Subject: sit: update frag_off info
+Git-commit: f859b4af1c52493ec21173ccc73d0b60029b5b88
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_12
+
+After parsing the sit netlink change info, we forget to update frag_off in
+ipip6_tunnel_update(). Fix it by assigning frag_off with new value.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/sit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1087,6 +1087,7 @@ static void ipip6_tunnel_update(struct i
+ ipip6_tunnel_link(sitn, t);
+ t->parms.iph.ttl = p->iph.ttl;
+ t->parms.iph.tos = p->iph.tos;
++ t->parms.iph.frag_off = p->iph.frag_off;
+ if (t->parms.link != p->link || t->fwmark != fwmark) {
+ t->parms.link = p->link;
+ t->fwmark = fwmark;
diff --git a/patches.suse/sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch b/patches.suse/sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch
new file mode 100644
index 0000000000..71a49b47da
--- /dev/null
+++ b/patches.suse/sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch
@@ -0,0 +1,44 @@
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 13 Dec 2017 14:41:06 -0500
+Subject: sock: free skb in skb_complete_tx_timestamp on error
+Git-commit: 35b99dffc3f710cafceee6c8c6ac6a98eb2cb4bf
+Patch-mainline: v4.15-rc4
+References: networking-stable-17_12_31
+
+skb_complete_tx_timestamp must ingest the skb it is passed. Call
+kfree_skb if the skb cannot be enqueued.
+
+Fixes: b245be1f4db1 ("net-timestamp: no-payload only sysctl")
+Fixes: 9ac25fc06375 ("net: fix socket refcounting in skb_complete_tx_timestamp()")
+Reported-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/skbuff.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3875,7 +3875,7 @@ void skb_complete_tx_timestamp(struct sk
+ struct sock *sk = skb->sk;
+
+ if (!skb_may_tx_timestamp(sk, false))
+- return;
++ goto err;
+
+ /* Take a reference to prevent skb_orphan() from freeing the socket,
+ * but only if the socket refcount is not zero.
+@@ -3884,7 +3884,11 @@ void skb_complete_tx_timestamp(struct sk
+ *skb_hwtstamps(skb) = *hwtstamps;
+ __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
+ sock_put(sk);
++ return;
+ }
++
++err:
++ kfree_skb(skb);
+ }
+ EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
+
diff --git a/patches.suse/stmmac-reset-last-TSO-segment-size-after-device-open.patch b/patches.suse/stmmac-reset-last-TSO-segment-size-after-device-open.patch
new file mode 100644
index 0000000000..53ad8a696e
--- /dev/null
+++ b/patches.suse/stmmac-reset-last-TSO-segment-size-after-device-open.patch
@@ -0,0 +1,38 @@
+From: Lars Persson <lars.persson@axis.com>
+Date: Fri, 1 Dec 2017 11:12:44 +0100
+Subject: stmmac: reset last TSO segment size after device open
+Git-commit: 45ab4b13e46325d00f4acdb365d406e941a15f81
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_12
+
+The mss variable tracks the last max segment size sent to the TSO
+engine. We do not update the hardware as long as we receive skb:s with
+the same value in gso_size.
+
+During a network device down/up cycle (mapped to stmmac_release() and
+stmmac_open() callbacks) we issue a reset to the hardware and it
+forgets the setting for mss. However we did not zero out our mss
+variable so the next transmission of a gso packet happens with an
+undefined hardware setting.
+
+This triggers a hang in the TSO engine and eventuelly the netdev
+watchdog will bark.
+
+Fixes: f748be531d70 ("stmmac: support new GMAC4")
+Signed-off-by: Lars Persson <larper@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2566,6 +2566,7 @@ static int stmmac_open(struct net_device
+
+ priv->dma_buf_sz = STMMAC_ALIGN(buf_sz);
+ priv->rx_copybreak = STMMAC_RX_COPYBREAK;
++ priv->mss = 0;
+
+ ret = alloc_dma_desc_resources(priv);
+ if (ret < 0) {
diff --git a/patches.suse/tap-reference-to-KVA-of-an-unloaded-module-causes-ke.patch b/patches.suse/tap-reference-to-KVA-of-an-unloaded-module-causes-ke.patch
new file mode 100644
index 0000000000..48f928b0cd
--- /dev/null
+++ b/patches.suse/tap-reference-to-KVA-of-an-unloaded-module-causes-ke.patch
@@ -0,0 +1,118 @@
+From: Girish Moodalbail <girish.moodalbail@oracle.com>
+Date: Fri, 27 Oct 2017 00:00:16 -0700
+Subject: tap: reference to KVA of an unloaded module causes kernel panic
+Git-commit: dea6e19f4ef746aa18b4c33d1a7fed54356796ed
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+The commit 9a393b5d5988 ("tap: tap as an independent module") created a
+separate tap module that implements tap functionality and exports
+interfaces that will be used by macvtap and ipvtap modules to create
+create respective tap devices.
+
+However, that patch introduced a regression wherein the modules macvtap
+and ipvtap can be removed (through modprobe -r) while there are
+applications using the respective /dev/tapX devices. These applications
+cause kernel to hold reference to /dev/tapX through 'struct cdev
+macvtap_cdev' and 'struct cdev ipvtap_dev' defined in macvtap and ipvtap
+modules respectively. So, when the application is later closed the
+kernel panics because we are referencing KVA that is present in the
+unloaded modules.
+
+----------8<------- Example ----------8<----------
+$ sudo ip li add name mv0 link enp7s0 type macvtap
+$ sudo ip li show mv0 |grep mv0| awk -e '{print $1 $2}'
+ 14:mv0@enp7s0:
+$ cat /dev/tap14 &
+$ lsmod |egrep -i 'tap|vlan'
+macvtap 16384 0
+macvlan 24576 1 macvtap
+tap 24576 3 macvtap
+$ sudo modprobe -r macvtap
+$ fg
+cat /dev/tap14
+^C
+
+<...system panics...>
+BUG: unable to handle kernel paging request at ffffffffa038c500
+IP: cdev_put+0xf/0x30
+----------8<-----------------8<----------
+
+The fix is to set cdev.owner to the module that creates the tap device
+(either macvtap or ipvtap). With this set, the operations (in
+fs/char_dev.c) on char device holds and releases the module through
+cdev_get() and cdev_put() and will not allow the module to unload
+prematurely.
+
+Fixes: 9a393b5d5988ea4e (tap: tap as an independent module)
+Signed-off-by: Girish Moodalbail <girish.moodalbail@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ipvlan/ipvtap.c | 4 ++--
+ drivers/net/macvtap.c | 4 ++--
+ drivers/net/tap.c | 5 +++--
+ include/linux/if_tap.h | 4 ++--
+ 4 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvtap.c
++++ b/drivers/net/ipvlan/ipvtap.c
+@@ -197,8 +197,8 @@ static int ipvtap_init(void)
+ {
+ int err;
+
+- err = tap_create_cdev(&ipvtap_cdev, &ipvtap_major, "ipvtap");
+-
++ err = tap_create_cdev(&ipvtap_cdev, &ipvtap_major, "ipvtap",
++ THIS_MODULE);
+ if (err)
+ goto out1;
+
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -204,8 +204,8 @@ static int macvtap_init(void)
+ {
+ int err;
+
+- err = tap_create_cdev(&macvtap_cdev, &macvtap_major, "macvtap");
+-
++ err = tap_create_cdev(&macvtap_cdev, &macvtap_major, "macvtap",
++ THIS_MODULE);
+ if (err)
+ goto out1;
+
+--- a/drivers/net/tap.c
++++ b/drivers/net/tap.c
+@@ -1232,8 +1232,8 @@ static int tap_list_add(dev_t major, con
+ return 0;
+ }
+
+-int tap_create_cdev(struct cdev *tap_cdev,
+- dev_t *tap_major, const char *device_name)
++int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
++ const char *device_name, struct module *module)
+ {
+ int err;
+
+@@ -1242,6 +1242,7 @@ int tap_create_cdev(struct cdev *tap_cde
+ goto out1;
+
+ cdev_init(tap_cdev, &tap_fops);
++ tap_cdev->owner = module;
+ err = cdev_add(tap_cdev, *tap_major, TAP_NUM_DEVS);
+ if (err)
+ goto out2;
+--- a/include/linux/if_tap.h
++++ b/include/linux/if_tap.h
+@@ -68,8 +68,8 @@ void tap_del_queues(struct tap_dev *tap)
+ int tap_get_minor(dev_t major, struct tap_dev *tap);
+ void tap_free_minor(dev_t major, struct tap_dev *tap);
+ int tap_queue_resize(struct tap_dev *tap);
+-int tap_create_cdev(struct cdev *tap_cdev,
+- dev_t *tap_major, const char *device_name);
++int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
++ const char *device_name, struct module *module);
+ void tap_destroy_cdev(dev_t major, struct cdev *tap_cdev);
+
+ #endif /*_LINUX_IF_TAP_H_*/
diff --git a/patches.suse/tcp-fix-data-delivery-rate.patch b/patches.suse/tcp-fix-data-delivery-rate.patch
new file mode 100644
index 0000000000..f271838e45
--- /dev/null
+++ b/patches.suse/tcp-fix-data-delivery-rate.patch
@@ -0,0 +1,48 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 15 Sep 2017 16:47:42 -0700
+Subject: tcp: fix data delivery rate
+Git-commit: fc22579917eb7e13433448a342f1cb1592920940
+Patch-mainline: v4.14-rc1
+References: networking-stable-17_10_09
+
+Now skb->mstamp_skb is updated later, we also need to call
+tcp_rate_skb_sent() after the update is done.
+
+Fixes: 8c72c65b426b ("tcp: update skb->skb_mstamp more carefully")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_output.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index a85a8c2948e5..1c839c99114c 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1002,8 +1002,6 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
+ if (clone_it) {
+ TCP_SKB_CB(skb)->tx.in_flight = TCP_SKB_CB(skb)->end_seq
+ - tp->snd_una;
+- tcp_rate_skb_sent(sk, skb);
+-
+ oskb = skb;
+ if (unlikely(skb_cloned(skb)))
+ skb = pskb_copy(skb, gfp_mask);
+@@ -1128,9 +1126,10 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
+ tcp_enter_cwr(sk);
+ err = net_xmit_eval(err);
+ }
+- if (!err && oskb)
++ if (!err && oskb) {
+ oskb->skb_mstamp = tp->tcp_mstamp;
+-
++ tcp_rate_skb_sent(sk, oskb);
++ }
+ return err;
+ }
+
+--
+2.17.1
+
diff --git a/patches.suse/tcp-update-skb-skb_mstamp-more-carefully.patch b/patches.suse/tcp-update-skb-skb_mstamp-more-carefully.patch
new file mode 100644
index 0000000000..c32f6cbfcd
--- /dev/null
+++ b/patches.suse/tcp-update-skb-skb_mstamp-more-carefully.patch
@@ -0,0 +1,140 @@
+From: Eric Dumazet <edumazet@googl.com>
+Date: Wed, 13 Sep 2017 20:30:39 -0700
+Subject: tcp: update skb->skb_mstamp more carefully
+Git-commit: 8c72c65b426b47b3c166a8fef0d8927fe5e8a28d
+Patch-mainline: v4.14-rc1
+References: networking-stable-17_10_09
+
+liujian reported a problem in TCP_USER_TIMEOUT processing with a patch
+in tcp_probe_timer() :
+ https://www.spinics.net/lists/netdev/msg454496.html
+
+After investigations, the root cause of the problem is that we update
+skb->skb_mstamp of skbs in write queue, even if the attempt to send a
+clone or copy of it failed. One reason being a routing problem.
+
+This patch prevents this, solving liujian issue.
+
+It also removes a potential RTT miscalculation, since
+__tcp_retransmit_skb() is not OR-ing TCP_SKB_CB(skb)->sacked with
+TCPCB_EVER_RETRANS if a failure happens, but skb->skb_mstamp has
+been changed.
+
+A future ACK would then lead to a very small RTT sample and min_rtt
+would then be lowered to this too small value.
+
+Tested:
+
+# cat user_timeout.pkt
+--local_ip=192.168.102.64
+
+ 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+ +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+ +0 bind(3, ..., ...) = 0
+ +0 listen(3, 1) = 0
+
+ +0 `ifconfig tun0 192.168.102.64/16; ip ro add 192.0.2.1 dev tun0`
+
+ +0 < S 0:0(0) win 0 <mss 1460>
+ +0 > S. 0:0(0) ack 1 <mss 1460>
+
+ +.1 < . 1:1(0) ack 1 win 65530
+ +0 accept(3, ..., ...) = 4
+
+ +0 setsockopt(4, SOL_TCP, TCP_USER_TIMEOUT, [3000], 4) = 0
+ +0 write(4, ..., 24) = 24
+ +0 > P. 1:25(24) ack 1 win 29200
+ +.1 < . 1:1(0) ack 25 win 65530
+
+//change the ipaddress
+ +1 `ifconfig tun0 192.168.0.10/16`
+
+ +1 write(4, ..., 24) = 24
+ +1 write(4, ..., 24) = 24
+ +1 write(4, ..., 24) = 24
+ +1 write(4, ..., 24) = 24
+
+ +0 `ifconfig tun0 192.168.102.64/16`
+ +0 < . 1:2(1) ack 25 win 65530
+ +0 `ifconfig tun0 192.168.0.10/16`
+
+ +3 write(4, ..., 24) = -1
+
+# ./packetdrill user_timeout.pkt
+
+Signed-off-by: Eric Dumazet <edumazet@googl.com>
+Reported-by: liujian <liujian56@huawei.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_output.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -990,6 +990,7 @@ static int tcp_transmit_skb(struct sock
+ struct tcp_skb_cb *tcb;
+ struct tcp_out_options opts;
+ unsigned int tcp_options_size, tcp_header_size;
++ struct sk_buff *oskb = NULL;
+ struct tcp_md5sig_key *md5;
+ struct tcphdr *th;
+ int err;
+@@ -997,12 +998,12 @@ static int tcp_transmit_skb(struct sock
+ BUG_ON(!skb || !tcp_skb_pcount(skb));
+ tp = tcp_sk(sk);
+
+- skb->skb_mstamp = tp->tcp_mstamp;
+ if (clone_it) {
+ TCP_SKB_CB(skb)->tx.in_flight = TCP_SKB_CB(skb)->end_seq
+ - tp->snd_una;
+ tcp_rate_skb_sent(sk, skb);
+
++ oskb = skb;
+ if (unlikely(skb_cloned(skb)))
+ skb = pskb_copy(skb, gfp_mask);
+ else
+@@ -1010,6 +1011,7 @@ static int tcp_transmit_skb(struct sock
+ if (unlikely(!skb))
+ return -ENOBUFS;
+ }
++ skb->skb_mstamp = tp->tcp_mstamp;
+
+ inet = inet_sk(sk);
+ tcb = TCP_SKB_CB(skb);
+@@ -1121,12 +1123,14 @@ static int tcp_transmit_skb(struct sock
+
+ err = icsk->icsk_af_ops->queue_xmit(sk, skb, &inet->cork.fl);
+
+- if (likely(err <= 0))
+- return err;
+-
+- tcp_enter_cwr(sk);
++ if (unlikely(err > 0)) {
++ tcp_enter_cwr(sk);
++ err = net_xmit_eval(err);
++ }
++ if (!err && oskb)
++ oskb->skb_mstamp = tp->tcp_mstamp;
+
+- return net_xmit_eval(err);
++ return err;
+ }
+
+ /* This routine just queues the buffer for sending.
+@@ -2866,10 +2870,11 @@ int __tcp_retransmit_skb(struct sock *sk
+ skb_headroom(skb) >= 0xFFFF)) {
+ struct sk_buff *nskb;
+
+- skb->skb_mstamp = tp->tcp_mstamp;
+ nskb = __pskb_copy(skb, MAX_TCP_HEADER, GFP_ATOMIC);
+ err = nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) :
+ -ENOBUFS;
++ if (!err)
++ skb->skb_mstamp = tp->tcp_mstamp;
+ } else {
+ err = tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC);
+ }
diff --git a/patches.suse/tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch b/patches.suse/tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch
new file mode 100644
index 0000000000..78f176fb1b
--- /dev/null
+++ b/patches.suse/tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch
@@ -0,0 +1,67 @@
+From: Neal Cardwell <ncardwell@google.com>
+Date: Thu, 7 Dec 2017 12:43:30 -0500
+Subject: tcp_bbr: record "full bw reached" decision in new full_bw_reached bit
+Git-commit: c589e69b508d29ed8e644dfecda453f71c02ec27
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_31
+
+This commit records the "full bw reached" decision in a new
+full_bw_reached bit. This is a pure refactor that does not change the
+current behavior, but enables subsequent fixes and improvements.
+
+In particular, this enables simple and clean fixes because the full_bw
+and full_bw_cnt can be unconditionally zeroed without worrying about
+forgetting that we estimated we filled the pipe in Startup. And it
+enables future improvements because multiple code paths can be used
+for estimating that we filled the pipe in Startup; any new code paths
+only need to set this bit when they think the pipe is full.
+
+Note that this fix intentionally reduces the width of the full_bw_cnt
+counter, since we have never used the most significant bit.
+
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_bbr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_bbr.c
++++ b/net/ipv4/tcp_bbr.c
+@@ -110,7 +110,8 @@ struct bbr {
+ u32 lt_last_lost; /* LT intvl start: tp->lost */
+ u32 pacing_gain:10, /* current gain for setting pacing rate */
+ cwnd_gain:10, /* current gain for setting cwnd */
+- full_bw_cnt:3, /* number of rounds without large bw gains */
++ full_bw_reached:1, /* reached full bw in Startup? */
++ full_bw_cnt:2, /* number of rounds without large bw gains */
+ cycle_idx:3, /* current index in pacing_gain cycle array */
+ has_seen_rtt:1, /* have we seen an RTT sample yet? */
+ unused_b:5;
+@@ -180,7 +181,7 @@ static bool bbr_full_bw_reached(const st
+ {
+ const struct bbr *bbr = inet_csk_ca(sk);
+
+- return bbr->full_bw_cnt >= bbr_full_bw_cnt;
++ return bbr->full_bw_reached;
+ }
+
+ /* Return the windowed max recent bandwidth sample, in pkts/uS << BW_SCALE. */
+@@ -717,6 +718,7 @@ static void bbr_check_full_bw_reached(st
+ return;
+ }
+ ++bbr->full_bw_cnt;
++ bbr->full_bw_reached = bbr->full_bw_cnt >= bbr_full_bw_cnt;
+ }
+
+ /* If pipe is probably full, drain the queue and then enter steady-state. */
+@@ -850,6 +852,7 @@ static void bbr_init(struct sock *sk)
+ bbr->restore_cwnd = 0;
+ bbr->round_start = 0;
+ bbr->idle_restart = 0;
++ bbr->full_bw_reached = 0;
+ bbr->full_bw = 0;
+ bbr->full_bw_cnt = 0;
+ bbr->cycle_mstamp = 0;
diff --git a/patches.suse/tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch b/patches.suse/tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch
new file mode 100644
index 0000000000..89655743f0
--- /dev/null
+++ b/patches.suse/tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch
@@ -0,0 +1,41 @@
+From: Neal Cardwell <ncardwell@google.com>
+Date: Thu, 7 Dec 2017 12:43:31 -0500
+Subject: tcp_bbr: reset full pipe detection on loss recovery undo
+Git-commit: 2f6c498e4f15d27852c04ed46d804a39137ba364
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_31
+
+Fix BBR so that upon notification of a loss recovery undo BBR resets
+the full pipe detection (STARTUP exit) state machine.
+
+Under high reordering, reordering events can be interpreted as loss.
+If the reordering and spurious loss estimates are high enough, this
+could previously cause BBR to spuriously estimate that the pipe is
+full.
+
+Since spurious loss recovery means that our overall sending will have
+slowed down spuriously, this commit gives a flow more time to probe
+robustly for bandwidth and decide the pipe is really full.
+
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_bbr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv4/tcp_bbr.c
++++ b/net/ipv4/tcp_bbr.c
+@@ -874,6 +874,10 @@ static u32 bbr_sndbuf_expand(struct sock
+ */
+ static u32 bbr_undo_cwnd(struct sock *sk)
+ {
++ struct bbr *bbr = inet_csk_ca(sk);
++
++ bbr->full_bw = 0; /* spurious slow-down; reset full pipe detection */
++ bbr->full_bw_cnt = 0;
+ return tcp_sk(sk)->snd_cwnd;
+ }
+
diff --git a/patches.suse/tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch b/patches.suse/tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch
new file mode 100644
index 0000000000..9c8b26ffde
--- /dev/null
+++ b/patches.suse/tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch
@@ -0,0 +1,36 @@
+From: Neal Cardwell <ncardwell@google.com>
+Date: Thu, 7 Dec 2017 12:43:32 -0500
+Subject: tcp_bbr: reset long-term bandwidth sampling on loss recovery undo
+Git-commit: 600647d467c6d04b3954b41a6ee1795b5ae00550
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_31
+
+Fix BBR so that upon notification of a loss recovery undo BBR resets
+long-term bandwidth sampling.
+
+Under high reordering, reordering events can be interpreted as loss.
+If the reordering and spurious loss estimates are high enough, this
+can cause BBR to spuriously estimate that we are seeing loss rates
+high enough to trigger long-term bandwidth estimation. To avoid that
+problem, this commit resets long-term bandwidth sampling on loss
+recovery undo events.
+
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_bbr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp_bbr.c
++++ b/net/ipv4/tcp_bbr.c
+@@ -878,6 +878,7 @@ static u32 bbr_undo_cwnd(struct sock *sk
+
+ bbr->full_bw = 0; /* spurious slow-down; reset full pipe detection */
+ bbr->full_bw_cnt = 0;
++ bbr_reset_lt_bw_sampling(sk);
+ return tcp_sk(sk)->snd_cwnd;
+ }
+
diff --git a/patches.suse/tcp_nv-fix-division-by-zero-in-tcpnv_acked.patch b/patches.suse/tcp_nv-fix-division-by-zero-in-tcpnv_acked.patch
new file mode 100644
index 0000000000..01ad1a2aa0
--- /dev/null
+++ b/patches.suse/tcp_nv-fix-division-by-zero-in-tcpnv_acked.patch
@@ -0,0 +1,29 @@
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 1 Nov 2017 16:32:15 +0300
+Subject: tcp_nv: fix division by zero in tcpnv_acked()
+Git-commit: 4eebff27ca4182bbf5f039dd60d79e2d7c0a707e
+Patch-mainline: v4.14-rc8
+References: networking-stable-17_11_20
+
+Average RTT could become zero. This happened in real life at least twice.
+This patch treats zero as 1us.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Lawrence Brakmo <Brakmo@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_nv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_nv.c
++++ b/net/ipv4/tcp_nv.c
+@@ -263,7 +263,7 @@ static void tcpnv_acked(struct sock *sk,
+
+ /* rate in 100's bits per second */
+ rate64 = ((u64)sample->in_flight) * 8000000;
+- rate = (u32)div64_u64(rate64, (u64)(avg_rtt * 100));
++ rate = (u32)div64_u64(rate64, (u64)(avg_rtt ?: 1) * 100);
+
+ /* Remember the maximum rate seen during this RTT
+ * Note: It may be more than one RTT. This function should be
diff --git a/patches.suse/tipc-fix-hanging-poll-for-stream-sockets.patch b/patches.suse/tipc-fix-hanging-poll-for-stream-sockets.patch
new file mode 100644
index 0000000000..0a84605585
--- /dev/null
+++ b/patches.suse/tipc-fix-hanging-poll-for-stream-sockets.patch
@@ -0,0 +1,42 @@
+From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@gmail.com>
+Date: Thu, 28 Dec 2017 12:03:06 +0100
+Subject: tipc: fix hanging poll() for stream sockets
+Git-commit: 517d7c79bdb39864e617960504bdc1aa560c75c6
+Patch-mainline: v4.15-rc6
+References: networking-stable-17_12_31
+
+In commit 42b531de17d2f6 ("tipc: Fix missing connection request
+handling"), we replaced unconditional wakeup() with condtional
+wakeup for clients with flags POLLIN | POLLRDNORM | POLLRDBAND.
+
+This breaks the applications which do a connect followed by poll
+with POLLOUT flag. These applications are not woken when the
+connection is ESTABLISHED and hence sleep forever.
+
+In this commit, we fix it by including the POLLOUT event for
+sockets in TIPC_CONNECTING state.
+
+Fixes: 42b531de17d2f6 ("tipc: Fix missing connection request handling")
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/tipc/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -709,11 +709,11 @@ static unsigned int tipc_poll(struct fil
+
+ switch (sk->sk_state) {
+ case TIPC_ESTABLISHED:
++ case TIPC_CONNECTING:
+ if (!tsk->cong_link_cnt && !tsk_conn_cong(tsk))
+ mask |= POLLOUT;
+ /* fall thru' */
+ case TIPC_LISTEN:
+- case TIPC_CONNECTING:
+ if (!skb_queue_empty(&sk->sk_receive_queue))
+ mask |= (POLLIN | POLLRDNORM);
+ break;
diff --git a/patches.suse/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch b/patches.suse/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch
new file mode 100644
index 0000000000..f1bcf65c04
--- /dev/null
+++ b/patches.suse/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch
@@ -0,0 +1,31 @@
+From: Jon Maloy <jon.maloy@ericsson.com>
+Date: Mon, 4 Dec 2017 22:00:20 +0100
+Subject: tipc: fix memory leak in tipc_accept_from_sock()
+Git-commit: a7d5f107b4978e08eeab599ee7449af34d034053
+Patch-mainline: v4.15-rc3
+References: networking-stable-17_12_12
+
+When the function tipc_accept_from_sock() fails to create an instance of
+struct tipc_subscriber it omits to free the already created instance of
+struct tipc_conn instance before it returns.
+
+We fix that with this commit.
+
+Reported-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/tipc/server.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/server.c
++++ b/net/tipc/server.c
+@@ -313,6 +313,7 @@ static int tipc_accept_from_sock(struct
+ newcon->usr_data = s->tipc_conn_new(newcon->conid);
+ if (!newcon->usr_data) {
+ sock_release(newsock);
++ conn_put(newcon);
+ return -ENOMEM;
+ }
+
diff --git a/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch b/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
new file mode 100644
index 0000000000..f5a9202739
--- /dev/null
+++ b/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
@@ -0,0 +1,33 @@
+From: Julien Gomes <julien@arista.com>
+Date: Wed, 25 Oct 2017 11:50:50 -0700
+Subject: tun: allow positive return values on dev_get_valid_name() call
+Git-commit: 5c25f65fd1e42685f7ccd80e0621829c105785d9
+Patch-mainline: v4.14-rc7
+References: networking-stable-17_11_14
+
+If the name argument of dev_get_valid_name() contains "%d", it will try
+to assign it a unit number in __dev__alloc_name() and return either the
+unit number (>= 0) or an error code (< 0).
+Considering positive values as error values prevent tun device creations
+relying this mechanism, therefor we should only consider negative values
+as errors here.
+
+Signed-off-by: Julien Gomes <julien@arista.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/tun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1811,7 +1811,7 @@ static int tun_set_iff(struct net *net,
+ if (!dev)
+ return -ENOMEM;
+ err = dev_get_valid_name(net, dev, name);
+- if (err)
++ if (err < 0)
+ goto err_free_dev;
+
+ dev_net_set(dev, net);
diff --git a/patches.suse/tun-bail-out-from-tun_get_user-if-the-skb-is-empty.patch b/patches.suse/tun-bail-out-from-tun_get_user-if-the-skb-is-empty.patch
new file mode 100644
index 0000000000..d943c86d3e
--- /dev/null
+++ b/patches.suse/tun-bail-out-from-tun_get_user-if-the-skb-is-empty.patch
@@ -0,0 +1,108 @@
+From: Alexander Potapenko <glider@google.com>
+Date: Thu, 28 Sep 2017 11:32:37 +0200
+Subject: tun: bail out from tun_get_user() if the skb is empty
+Git-commit: 2580c4c17aee3ad58e9751012bad278dd074ccae
+Patch-mainline: v4.14-rc4
+References: networking-stable-17_10_09
+
+KMSAN (https://github.com/google/kmsan) reported accessing uninitialized
+skb->data[0] in the case the skb is empty (i.e. skb->len is 0):
+
+================================================
+BUG: KMSAN: use of uninitialized memory in tun_get_user+0x19ba/0x3770
+CPU: 0 PID: 3051 Comm: probe Not tainted 4.13.0+ #3140
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+...
+ __msan_warning_32+0x66/0xb0 mm/kmsan/kmsan_instr.c:477
+ tun_get_user+0x19ba/0x3770 drivers/net/tun.c:1301
+ tun_chr_write_iter+0x19f/0x300 drivers/net/tun.c:1365
+ call_write_iter ./include/linux/fs.h:1743
+ new_sync_write fs/read_write.c:457
+ __vfs_write+0x6c3/0x7f0 fs/read_write.c:470
+ vfs_write+0x3e4/0x770 fs/read_write.c:518
+ SYSC_write+0x12f/0x2b0 fs/read_write.c:565
+ SyS_write+0x55/0x80 fs/read_write.c:557
+ do_syscall_64+0x242/0x330 arch/x86/entry/common.c:284
+ entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:245
+...
+origin:
+...
+ kmsan_poison_shadow+0x6e/0xc0 mm/kmsan/kmsan.c:211
+ slab_alloc_node mm/slub.c:2732
+ __kmalloc_node_track_caller+0x351/0x370 mm/slub.c:4351
+ __kmalloc_reserve net/core/skbuff.c:138
+ __alloc_skb+0x26a/0x810 net/core/skbuff.c:231
+ alloc_skb ./include/linux/skbuff.h:903
+ alloc_skb_with_frags+0x1d7/0xc80 net/core/skbuff.c:4756
+ sock_alloc_send_pskb+0xabf/0xfe0 net/core/sock.c:2037
+ tun_alloc_skb drivers/net/tun.c:1144
+ tun_get_user+0x9a8/0x3770 drivers/net/tun.c:1274
+ tun_chr_write_iter+0x19f/0x300 drivers/net/tun.c:1365
+ call_write_iter ./include/linux/fs.h:1743
+ new_sync_write fs/read_write.c:457
+ __vfs_write+0x6c3/0x7f0 fs/read_write.c:470
+ vfs_write+0x3e4/0x770 fs/read_write.c:518
+ SYSC_write+0x12f/0x2b0 fs/read_write.c:565
+ SyS_write+0x55/0x80 fs/read_write.c:557
+ do_syscall_64+0x242/0x330 arch/x86/entry/common.c:284
+ return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:245
+================================================
+
+Make sure tun_get_user() doesn't touch skb->data[0] unless there is
+actual data.
+
+C reproducer below:
+==========================
+ // autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+ #define _GNU_SOURCE
+
+ #include <fcntl.h>
+ #include <linux/if_tun.h>
+ #include <netinet/ip.h>
+ #include <net/if.h>
+ #include <string.h>
+ #include <sys/ioctl.h>
+
+ int main()
+ {
+ int sock = socket(PF_INET, SOCK_STREAM, IPPROTO_IP);
+ int tun_fd = open("/dev/net/tun", O_RDWR);
+ struct ifreq req;
+ memset(&req, 0, sizeof(struct ifreq));
+ strcpy((char*)&req.ifr_name, "gre0");
+ req.ifr_flags = IFF_UP | IFF_MULTICAST;
+ ioctl(tun_fd, TUNSETIFF, &req);
+ ioctl(sock, SIOCSIFFLAGS, "gre0");
+ write(tun_fd, "hi", 0);
+ return 0;
+ }
+==========================
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/tun.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1298,11 +1298,13 @@ static ssize_t tun_get_user(struct tun_s
+ switch (tun->flags & TUN_TYPE_MASK) {
+ case IFF_TUN:
+ if (tun->flags & IFF_NO_PI) {
+- switch (skb->data[0] & 0xf0) {
+- case 0x40:
++ u8 ip_version = skb->len ? (skb->data[0] >> 4) : 0;
++
++ switch (ip_version) {
++ case 4:
+ pi.proto = htons(ETH_P_IP);
+ break;
+- case 0x60:
++ case 6:
+ pi.proto = htons(ETH_P_IPV6);
+ break;
+ default:
diff --git a/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch b/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
new file mode 100644
index 0000000000..776b56d4d7
--- /dev/null
+++ b/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
@@ -0,0 +1,79 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 13 Oct 2017 11:58:53 -0700
+Subject: tun: call dev_get_valid_name() before register_netdevice()
+Git-commit: 0ad646c81b2182f7fa67ec0c8c825e0ee165696d
+Patch-mainline: v4.14-rc6
+References: networking-stable-17_11_14
+
+register_netdevice() could fail early when we have an invalid
+dev name, in which case ->ndo_uninit() is not called. For tun
+device, this is a problem because a timer etc. are already
+initialized and it expects ->ndo_uninit() to clean them up.
+
+We could move these initializations into a ->ndo_init() so
+that register_netdevice() knows better, however this is still
+complicated due to the logic in tun_detach().
+
+Therefore, I choose to just call dev_get_valid_name() before
+register_netdevice(), which is quicker and much easier to audit.
+And for this specific case, it is already enough.
+
+Fixes: 96442e42429e ("tuntap: choose the txq based on rxq")
+Reported-by: Dmitry Alexeev <avekceeb@gmail.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/tun.c | 3 +++
+ include/linux/netdevice.h | 3 +++
+ net/core/dev.c | 6 +++---
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1810,6 +1810,9 @@ static int tun_set_iff(struct net *net,
+
+ if (!dev)
+ return -ENOMEM;
++ err = dev_get_valid_name(net, dev, name);
++ if (err)
++ goto err_free_dev;
+
+ dev_net_set(dev, net);
+ dev->rtnl_link_ops = &tun_link_ops;
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -3692,6 +3692,9 @@ struct net_device *alloc_netdev_mqs(int
+ unsigned char name_assign_type,
+ void (*setup)(struct net_device *),
+ unsigned int txqs, unsigned int rxqs);
++int dev_get_valid_name(struct net *net, struct net_device *dev,
++ const char *name);
++
+ #define alloc_netdev(sizeof_priv, name, name_assign_type, setup) \
+ alloc_netdev_mqs(sizeof_priv, name, name_assign_type, setup, 1, 1)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1146,9 +1146,8 @@ static int dev_alloc_name_ns(struct net
+ return ret;
+ }
+
+-static int dev_get_valid_name(struct net *net,
+- struct net_device *dev,
+- const char *name)
++int dev_get_valid_name(struct net *net, struct net_device *dev,
++ const char *name)
+ {
+ BUG_ON(!net);
+
+@@ -1164,6 +1163,7 @@ static int dev_get_valid_name(struct net
+
+ return 0;
+ }
++EXPORT_SYMBOL(dev_get_valid_name);
+
+ /**
+ * dev_change_name - change name of a device
diff --git a/patches.suse/tun-tap-sanitize-TUNSETSNDBUF-input.patch b/patches.suse/tun-tap-sanitize-TUNSETSNDBUF-input.patch
new file mode 100644
index 0000000000..46794cedf3
--- /dev/null
+++ b/patches.suse/tun-tap-sanitize-TUNSETSNDBUF-input.patch
@@ -0,0 +1,85 @@
+From: Craig Gallek <kraig@google.com>
+Date: Mon, 30 Oct 2017 18:50:11 -0400
+Subject: tun/tap: sanitize TUNSETSNDBUF input
+Git-commit: 93161922c658c714715686cd0cf69b090cb9bf1d
+Patch-mainline: v4.14-rc8
+References: networking-stable-17_11_14
+
+Syzkaller found several variants of the lockup below by setting negative
+values with the TUNSETSNDBUF ioctl. This patch adds a sanity check
+to both the tun and tap versions of this ioctl.
+
+ watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:2389]
+ Modules linked in:
+ irq event stamp: 329692056
+ hardirqs last enabled at (329692055): [<ffffffff824b8381>] _raw_spin_unlock_irqrestore+0x31/0x75
+ hardirqs last disabled at (329692056): [<ffffffff824b9e58>] apic_timer_interrupt+0x98/0xb0
+ softirqs last enabled at (35659740): [<ffffffff824bc958>] __do_softirq+0x328/0x48c
+ softirqs last disabled at (35659731): [<ffffffff811c796c>] irq_exit+0xbc/0xd0
+ CPU: 0 PID: 2389 Comm: repro Not tainted 4.14.0-rc7 #23
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ task: ffff880009452140 task.stack: ffff880006a20000
+ RIP: 0010:_raw_spin_lock_irqsave+0x11/0x80
+ RSP: 0018:ffff880006a27c50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
+ RAX: ffff880009ac68d0 RBX: ffff880006a27ce0 RCX: 0000000000000000
+ RDX: 0000000000000001 RSI: ffff880006a27ce0 RDI: ffff880009ac6900
+ RBP: ffff880006a27c60 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000001 R11: 000000000063ff00 R12: ffff880009ac6900
+ R13: ffff880006a27cf8 R14: 0000000000000001 R15: ffff880006a27cf8
+ FS: 00007f4be4838700(0000) GS:ffff88000cc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000020101000 CR3: 0000000009616000 CR4: 00000000000006f0
+ Call Trace:
+ prepare_to_wait+0x26/0xc0
+ sock_alloc_send_pskb+0x14e/0x270
+ ? remove_wait_queue+0x60/0x60
+ tun_get_user+0x2cc/0x19d0
+ ? __tun_get+0x60/0x1b0
+ tun_chr_write_iter+0x57/0x86
+ __vfs_write+0x156/0x1e0
+ vfs_write+0xf7/0x230
+ SyS_write+0x57/0xd0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+ RIP: 0033:0x7f4be4356df9
+ RSP: 002b:00007ffc18101c08 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4be4356df9
+ RDX: 0000000000000046 RSI: 0000000020101000 RDI: 0000000000000005
+ RBP: 00007ffc18101c40 R08: 0000000000000001 R09: 0000000000000001
+ R10: 0000000000000001 R11: 0000000000000293 R12: 0000559c75f64780
+ R13: 00007ffc18101d30 R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: 33dccbb050bb ("tun: Limit amount of queued packets per device")
+Fixes: 20d29d7a916a ("net: macvtap driver")
+Signed-off-by: Craig Gallek <kraig@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/tap.c | 2 ++
+ drivers/net/tun.c | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/net/tap.c
++++ b/drivers/net/tap.c
+@@ -1029,6 +1029,8 @@ static long tap_ioctl(struct file *file,
+ case TUNSETSNDBUF:
+ if (get_user(s, sp))
+ return -EFAULT;
++ if (s <= 0)
++ return -EINVAL;
+
+ q->sk.sk_sndbuf = s;
+ return 0;
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -2211,6 +2211,10 @@ static long __tun_chr_ioctl(struct file
+ ret = -EFAULT;
+ break;
+ }
++ if (sndbuf <= 0) {
++ ret = -EINVAL;
++ break;
++ }
+
+ tun->sndbuf = sndbuf;
+ tun_set_sndbuf(tun);
diff --git a/patches.suse/vlan-fix-a-use-after-free-in-vlan_device_event.patch b/patches.suse/vlan-fix-a-use-after-free-in-vlan_device_event.patch
new file mode 100644
index 0000000000..3ea902e538
--- /dev/null
+++ b/patches.suse/vlan-fix-a-use-after-free-in-vlan_device_event.patch
@@ -0,0 +1,65 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 9 Nov 2017 16:43:13 -0800
+Subject: vlan: fix a use-after-free in vlan_device_event()
+Git-commit: 052d41c01b3a2e3371d66de569717353af489d63
+Patch-mainline: v4.14
+References: networking-stable-17_11_20
+
+After refcnt reaches zero, vlan_vid_del() could free
+dev->vlan_info via RCU:
+
+ RCU_INIT_POINTER(dev->vlan_info, NULL);
+ call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
+
+However, the pointer 'grp' still points to that memory
+since it is set before vlan_vid_del():
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
+ if (!vlan_info)
+ goto out;
+ grp = &vlan_info->grp;
+
+Depends on when that RCU callback is scheduled, we could
+trigger a use-after-free in vlan_group_for_each_dev()
+right following this vlan_vid_del().
+
+Fix it by moving vlan_vid_del() before setting grp. This
+is also symmetric to the vlan_vid_add() we call in
+vlan_device_event().
+
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
+Cc: Alexander Duyck <alexander.duyck@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Girish Moodalbail <girish.moodalbail@oracle.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Girish Moodalbail <girish.moodalbail@oracle.com>
+Tested-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/8021q/vlan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -376,6 +376,9 @@ static int vlan_device_event(struct noti
+ dev->name);
+ vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
+ }
++ if (event == NETDEV_DOWN &&
++ (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
++ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
+ if (!vlan_info)
+@@ -423,9 +426,6 @@ static int vlan_device_event(struct noti
+ struct net_device *tmp;
+ LIST_HEAD(close_list);
+
+- if (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)
+- vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+-
+ /* Put all VLANs for this dev in the down state too. */
+ vlan_group_for_each_dev(grp, i, vlandev) {
+ flgs = vlandev->flags;
diff --git a/patches.suse/vxlan-fix-the-issue-that-neigh-proxy-blocks-all-icmp.patch b/patches.suse/vxlan-fix-the-issue-that-neigh-proxy-blocks-all-icmp.patch
new file mode 100644
index 0000000000..edc4c23da5
--- /dev/null
+++ b/patches.suse/vxlan-fix-the-issue-that-neigh-proxy-blocks-all-icmp.patch
@@ -0,0 +1,94 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 11 Nov 2017 19:58:50 +0800
+Subject: vxlan: fix the issue that neigh proxy blocks all icmpv6 packets
+Git-commit: 8bff3685a4bbf175a96bc6a528f13455d8d38244
+Patch-mainline: v4.15-rc1
+References: networking-stable-17_11_20
+
+Commit f1fb08f6337c ("vxlan: fix ND proxy when skb doesn't have transport
+header offset") removed icmp6_code and icmp6_type check before calling
+neigh_reduce when doing neigh proxy.
+
+It means all icmpv6 packets would be blocked by this, not only ns packet.
+In Jianlin's env, even ping6 couldn't work through it.
+
+This patch is to bring the icmp6_code and icmp6_type check back and also
+removed the same check from neigh_reduce().
+
+Fixes: f1fb08f6337c ("vxlan: fix ND proxy when skb doesn't have transport header offset")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Vincent Bernat <vincent@bernat.im>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/vxlan.c | 31 +++++++++++++------------------
+ 1 file changed, 13 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1612,26 +1612,19 @@ static struct sk_buff *vxlan_na_create(s
+ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ {
+ struct vxlan_dev *vxlan = netdev_priv(dev);
+- struct nd_msg *msg;
+- const struct ipv6hdr *iphdr;
+ const struct in6_addr *daddr;
+- struct neighbour *n;
++ const struct ipv6hdr *iphdr;
+ struct inet6_dev *in6_dev;
++ struct neighbour *n;
++ struct nd_msg *msg;
+
+ in6_dev = __in6_dev_get(dev);
+ if (!in6_dev)
+ goto out;
+
+- if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + sizeof(struct nd_msg)))
+- goto out;
+-
+ iphdr = ipv6_hdr(skb);
+ daddr = &iphdr->daddr;
+-
+ msg = (struct nd_msg *)(iphdr + 1);
+- if (msg->icmph.icmp6_code != 0 ||
+- msg->icmph.icmp6_type != NDISC_NEIGHBOUR_SOLICITATION)
+- goto out;
+
+ if (ipv6_addr_loopback(daddr) ||
+ ipv6_addr_is_multicast(&msg->target))
+@@ -2234,11 +2227,11 @@ tx_error:
+ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct vxlan_dev *vxlan = netdev_priv(dev);
++ struct vxlan_rdst *rdst, *fdst = NULL;
+ const struct ip_tunnel_info *info;
+- struct ethhdr *eth;
+ bool did_rsc = false;
+- struct vxlan_rdst *rdst, *fdst = NULL;
+ struct vxlan_fdb *f;
++ struct ethhdr *eth;
+ __be32 vni = 0;
+
+ info = skb_tunnel_info(skb);
+@@ -2263,12 +2256,14 @@ static netdev_tx_t vxlan_xmit(struct sk_
+ if (ntohs(eth->h_proto) == ETH_P_ARP)
+ return arp_reduce(dev, skb, vni);
+ #if IS_ENABLED(CONFIG_IPV6)
+- else if (ntohs(eth->h_proto) == ETH_P_IPV6) {
+- struct ipv6hdr *hdr, _hdr;
+- if ((hdr = skb_header_pointer(skb,
+- skb_network_offset(skb),
+- sizeof(_hdr), &_hdr)) &&
+- hdr->nexthdr == IPPROTO_ICMPV6)
++ else if (ntohs(eth->h_proto) == ETH_P_IPV6 &&
++ pskb_may_pull(skb, sizeof(struct ipv6hdr) +
++ sizeof(struct nd_msg)) &&
++ ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) {
++ struct nd_msg *m = (struct nd_msg *)(ipv6_hdr(skb) + 1);
++
++ if (m->icmph.icmp6_code == 0 &&
++ m->icmph.icmp6_type == NDISC_NEIGHBOUR_SOLICITATION)
+ return neigh_reduce(dev, skb, vni);
+ }
+ #endif
diff --git a/series.conf b/series.conf
index b7e262f81f..865abb58c9 100644
--- a/series.conf
+++ b/series.conf
@@ -866,6 +866,11 @@
patches.kernel.org/4.12.14-054-Linux-4.12.14.patch
########################################################
+ # Non-upstream fixes for stable patches
+ ########################################################
+ patches.suse/mlxsw-spectrum-Forbid-linking-to-devices-fix.patch
+
+ ########################################################
# Build fixes that apply to the vanilla kernel too.
# Patches in patches.rpmify are applied to both -vanilla
# and patched flavors.
@@ -1241,6 +1246,9 @@
patches.fixes/tty-handle-the-case-where-we-cannot-restore-a-line-d.patch
patches.drivers/Fix-serial-console-on-SNI-RM400-machines.patch
patches.fixes/drivers-dma-mapping-do-not-leave-an-invalid-area-pages-pointer-in-dma_common_contiguous_remap.patch
+ patches.fixes/firmware-move-kill_requests_without_uevent-up-above.patch
+ patches.fixes/firmware-share-fw-fallback-killing-on-reboot-suspend.patch
+ patches.fixes/firmware-always-enable-the-reboot-notifier.patch
patches.fixes/scsi-ibmvscsi_tgt-remove-use-of-class_attrs.patch
patches.suse/0047-pktcdvd-use-class_groups-instead-of-class_attrs.patch
patches.drivers/IB-nes-convert-to-use-DRIVER_ATTR_RW.patch
@@ -2128,8 +2136,7 @@
patches.drivers/0062-iwlwifi-mvm-rs-add-logs-for-the-wrong-antenna-case.patch
patches.drivers/0063-iwlwifi-pcie-pull-out-common-rfkill-IRQ-handling-cod.patch
patches.drivers/0064-iwlwifi-pcie-add-fake-RF-kill-to-debugfs.patch
- patches.drivers/0065-iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch
- patches.drivers/iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill
+ patches.suse/iwlwifi-mvm-don-t-warn-in-queue-sync-on-RF-kill.patch
patches.drivers/0066-iwlwifi-pcie-don-t-report-RF-kill-enabled-while-shut.patch
patches.drivers/0067-iwlwifi-pcie-remove-pointless-debugfs-parsing-for-cs.patch
patches.drivers/0068-iwlwifi-mvm-document-status-bits.patch
@@ -2226,8 +2233,7 @@
patches.drivers/iwlwifi-mvm-don-t-send-fetch-the-TID-from-a-non-QoS-
patches.drivers/iwlwifi-pcie-reconfigure-MSI-X-HW-on-resume
patches.drivers/iwlwifi-mvm-don-t-mess-the-SNAP-header-in-TSO-for-no
- patches.drivers/0125-iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch
- patches.drivers/iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c
+ patches.suse/iwlwifi-mvm-remove-DQA-non-STA-client-mode-special-c.patch
patches.drivers/0126-iwlwifi-mvm-update-rx-statistics-cmd-api.patch
patches.drivers/iwlwifi-mvm-quietly-accept-non-sta-disassoc-frames
patches.drivers/0127-iwlwifi-pcie-propagate-iwl_pcie_apm_init-s-status.patch
@@ -5374,6 +5380,7 @@
patches.fixes/tcp-reindent-two-spots-after-prequeue-removal.patch
patches.fixes/tcp-remove-low_latency-sysctl.patch
patches.fixes/tcp-remove-unused-mib-counters.patch
+ patches.suse/mlxsw-spectrum_router-Simplify-a-piece-of-code.patch
patches.drivers/Bluetooth-hci_bcm-Make-bcm_request_irq-fail-if-no-IR
patches.drivers/Bluetooth-btrtl-Fix-a-error-code-in-rtl_load_config
patches.drivers/Bluetooth-btusb-add-ID-for-LiteOn-04ca-3016
@@ -6484,22 +6491,28 @@
patches.drivers/Input-i8042-add-Gigabyte-P57-to-the-keyboard-reset-t
patches.suse/msft-hv-1461-hv_netvsc-fix-deadlock-on-hotplug.patch
patches.suse/msft-hv-1462-hv_netvsc-avoid-unnecessary-wakeups-on-subchannel-cr.patch
+ patches.suse/net-bonding-Fix-transmit-load-balancing-in-balance-a.patch
patches.fixes/tcp-dccp-remove-reqsk_put-from-inet_child_forget.patch
patches.drivers/net_sched-fix-reference-counting-of-tc-filter-chain.patch
+ patches.suse/mlxsw-spectrum-Prevent-mirred-related-crash-on-remov.patch
patches.fixes/ip_tunnel-fix-ip-tunnel-lookup-in-collect_md-mode.patch
+ patches.suse/net-bonding-fix-tlb_dynamic_lb-default-value.patch
patches.drivers/be2net-fix-TSO6-GSO-issue-causing-TX-stall-on-Lancer.patch
patches.drivers/net-sched-fix-use-after-free-in-tcf_action_destroy-a.patch
patches.drivers/nfp-add-whitelist-of-supported-flow-dissector.patch
patches.drivers/nfp-wait-for-board-state-before-talking-to-the-NSP.patch
patches.drivers/nfp-wait-for-the-NSP-resource-to-appear-on-boot.patch
patches.drivers/net_sched-gen_estimator-fix-scaling-error-in-bytes-p.patch
+ patches.suse/sctp-potential-read-out-of-bounds-in-sctp_ulpevent_t.patch
patches.drivers/tg3-clean-up-redundant-initialization-of-tnapi.patch
patches.drivers/qed-remove-unnecessary-call-to-memset.patch
patches.fixes/net-vrf-avoid-gcc-4.6-warning.patch
+ patches.suse/tcp-update-skb-skb_mstamp-more-carefully.patch
patches.suse/msft-hv-1465-netvsc-increase-default-receive-buffer-size.patch
patches.fixes/sctp-fix-an-use-after-free-issue-in-sctp_sock_dump.patch
patches.fixes/sctp-do-not-mark-sk-dumped-when-inet_sctp_diag_fill-.patch
patches.drivers/bpf-verifier-reject-BPF_ALU64-BPF_END.patch
+ patches.suse/tcp-fix-data-delivery-rate.patch
patches.suse/0001-objtool-Fix-memory-leak-in-elf_create_rela_section.patch
patches.suse/0002-objtool-Do-not-retrieve-data-from-empty-sections.patch
patches.suse/0003-objtool-Fix-object-file-corruption.patch
@@ -6576,13 +6589,18 @@
patches.apparmor/0016-apparmor-fix-build-failure-on-sparc-caused-by-undecl.patch
patches.apparmor/0017-apparmor-fix-apparmorfs-DAC-access-permissions.patch
patches.fixes/udpv6-Fix-the-checksum-computation-when-HW-checksum-.patch
+ patches.suse/ip6_gre-skb_push-ipv6hdr-before-packing-the-header-i.patch
+ patches.suse/net-phy-Fix-mask-value-write-on-gmii2rgmii-converter.patch
+ patches.suse/ip6_tunnel-do-not-allow-loading-ip6_tunnel-if-ipv6-i.patch
patches.drivers/net-sched-cls_matchall-fix-crash-when-used-with-clas.patch
patches.drivers/bnxt_en-check-for-ingress-qdisc-in-flower-offload.patch
patches.fixes/tcp-remove-two-unused-functions.patch
+ patches.suse/8139too-revisit-napi_complete_done-usage.patch
patches.fixes/nl80211-check-for-the-required-netlink-attributes-pr.patch
patches.drivers/nl80211-fix-null-ptr-dereference-on-invalid-mesh-con.patch
patches.drivers/bpf-do-not-disable-enable-BH-in-bpf_map_free_id.patch
patches.fixes/tcp-fastopen-fix-on-syn-data-transmit-failure.patch
+ patches.suse/net-emac-Fix-napi-poll-list-corruption.patch
patches.fixes/net-ipv6-fix-regression-of-no-RTM_DELADDR-sent-after.patch
patches.fixes/ipv6-fix-net.ipv6.conf.all-interface-DAD-handlers.patch
patches.fixes/packet-hold-bind-lock-when-rebinding-to-fanout-hook.patch
@@ -6793,6 +6811,7 @@
patches.fixes/lib-ratelimit-c-use-deferred-printk-version.patch
patches.fixes/l2tp-ensure-sessions-are-freed-after-their-PPPOL2TP-.patch
patches.fixes/l2tp-fix-race-between-l2tp_session_delete-and-l2tp_t.patch
+ patches.suse/net-qcom-emac-specify-the-correct-size-when-mapping-.patch
patches.fixes/vti-fix-use-after-free-in-vti_tunnel_xmit-vti6_tnl_x.patch
patches.fixes/l2tp-fix-race-condition-in-l2tp_tunnel_delete.patch
patches.drivers/0001-iwlwifi-mvm-send-all-non-bufferable-frames-on-the-pr.patch
@@ -6804,10 +6823,13 @@
patches.drivers/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha
patches.drivers/brcmfmac-setup-passive-scan-if-requested-by-user-spa
patches.fixes/sctp-Fix-a-big-endian-bug-in-sctp_diag_dump.patch
+ patches.suse/tun-bail-out-from-tun_get_user-if-the-skb-is-empty.patch
patches.fixes/inetpeer-fix-RCU-lookup-again.patch
patches.fixes/net-dsa-Fix-network-device-registration-order.patch
patches.fixes/packet-in-packet_do_bind-test-fanout-with-bind_lock-.patch
patches.fixes/packet-only-test-po-has_vnet_hdr-once-in-packet_snd.patch
+ patches.suse/net-dsa-mv88e6xxx-lock-mutex-when-freeing-IRQs.patch
+ patches.suse/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch
patches.drivers/net-mlx5e-IPoIB-Fix-access-to-invalid-memory-address.patch
patches.drivers/net-mlx5-Fix-FPGA-capability-location.patch
patches.drivers/net-mlx5-Check-device-capability-for-maximum-flow-co.patch
@@ -6819,6 +6841,9 @@
patches.drivers/net-mlx5e-Fix-calculated-checksum-offloads-counters.patch
patches.drivers/net-mlx5-Fix-static-checker-warning-on-steering-trac.patch
patches.drivers/net-mlx5-Fix-wrong-indentation-in-enable-SRIOV-code.patch
+ patches.suse/netlink-do-not-proceed-if-dump-s-start-errs.patch
+ patches.suse/ip6_gre-ip6gre_tap-device-should-keep-dst.patch
+ patches.suse/ip6_tunnel-update-mtu-properly-for-ARPHRD_ETHER-tunn.patch
patches.fixes/IPv4-early-demux-can-return-an-error-code.patch
patches.fixes/udp-perform-source-validation-for-mcast-early-demux.patch
patches.fixes/tipc-use-only-positive-error-codes-in-messages.patch
@@ -6885,6 +6910,7 @@
patches.fixes/scsi-libiscsi-Remove-iscsi_destroy_session.patch
patches.fixes/scsi-ibmvscsis-Fix-write_pending-failure-path.patch
patches.fixes/0003-NFS-Fix-uninitialized-rpc_wait_queue.patch
+ patches.suse/ppp-fix-race-in-ppp-device-destruction.patch
patches.fixes/ipv6-fix-net.ipv6.conf.all.accept_dad-behaviour-for-.patch
patches.drivers/bpf-fix-liveness-marking.patch
patches.drivers/gso-fix-payload-length-when-gso_size-is-zero.patch
@@ -6894,6 +6920,7 @@
patches.fixes/xfrm-Fix-negative-device-refcount-on-offload-failure.patch
patches.fixes/vti-fix-NULL-dereference-in-xfrm_input.patch
patches.drivers/nl80211-Define-policy-for-packet-pattern-attributes
+ patches.suse/netlink-do-not-set-cb_running-if-dump-s-start-errs.patch
patches.fixes/udp-fix-bcast-packet-reception.patch
patches.drivers/ixgbe-Return-error-when-getting-PHY-address-if-PHY-a.patch
patches.drivers/ixgbe-fix-masking-of-bits-read-from-IXGBE_VXLANCTRL-.patch
@@ -7050,6 +7077,7 @@
patches.drivers/bnxt_en-Fix-possible-corruption-in-DCB-parameters-fr.patch
patches.drivers/rtnetlink-bring-NETDEV_CHANGEMTU-event-process-back-.patch
patches.drivers/net-enable-interface-alias-removal-via-rtnl.patch
+ patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
patches.drivers/net-sched-cls_flower-Set-egress_dev-mark-when-callin.patch
patches.fixes/mac80211-accept-key-reinstall-without-changing-anyth.patch
patches.drivers/ibmvnic-114-Fix-calculation-of-number-of-TX-header-descr.patch
@@ -7076,8 +7104,10 @@
patches.drivers/geneve-Fix-function-matching-VNI-and-tunnel-ID-on-bi
patches.drivers/bpf-fix-off-by-one-for-range-markings-with-L-T-E-pat.patch
patches.drivers/bpf-fix-pattern-matches-for-direct-packet-access.patch
+ patches.suse/net-bridge-fix-returning-of-vlan-range-op-errors.patch
patches.drivers/soreuseport-fix-initialization-race.patch
patches.drivers/net-ethtool-remove-error-check-for-legacy-setting-tr.patch
+ patches.suse/ipv6-flowlabel-do-not-leave-opt-tot_len-with-garbage.patch
patches.suse/objtool-Fix-memory-leak-in-decode_instructions.patch
patches.suse/irqchip-gic-v3-its-Fix-the-incorrect-BUG_ON-in-its_i.patch
patches.suse/irqchip-gic-v3-its-Fix-the-incorrect-parsing-of-VCPU.patch
@@ -7155,8 +7185,12 @@
patches.fixes/0001-Input-gtco-fix-potential-out-of-bound-access.patch
patches.fixes/tcp-do-tcp_mstamp_refresh-before-retransmits-on-TSQ-.patch
patches.fixes/tcp-dccp-fix-lockdep-splat-in-inet_csk_route_req.patch
+ patches.suse/sctp-full-support-for-ipv6-ip_nonlocal_bind-IP_FREEB.patch
patches.fixes/ipsec-Fix-aborted-xfrm-policy-dump-crash.patch
+ patches.suse/net-dsa-check-master-device-before-put.patch
+ patches.suse/net-unix-don-t-show-information-about-sockets-from-o.patch
patches.drivers/nfp-refuse-offloading-filters-that-redirects-to-uppe.patch
+ patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
patches.drivers/can-sun4i-fix-loopback-mode
patches.drivers/can-kvaser_usb-Correct-return-value-in-printout
patches.drivers/can-kvaser_usb-Ignore-CMD_FLUSH_QUEUE_REPLY-messages
@@ -7170,6 +7204,9 @@
patches.drivers/net-mlx5-Delay-events-till-mlx5-interface-s-add-comp.patch
patches.drivers/net-mlx5e-Properly-deal-with-encap-flows-add-del-und.patch
patches.drivers/net-mlx5e-DCBNL-Implement-tc-with-ets-type-and-zero-.patch
+ patches.suse/ipip-only-increase-err_count-for-some-certain-type-i.patch
+ patches.suse/ip6_gre-only-increase-err_count-for-some-certain-typ.patch
+ patches.suse/ip6_gre-update-dst-pmtu-if-dev-mtu-has-been-updated-.patch
patches.drivers/e1000-fix-race-condition-between-e1000_down-and-e100.patch
patches.drivers/e1000-avoid-null-pointer-dereference-on-invalid-stat.patch
patches.drivers/igb-Fix-TX-map-failure-path.patch
@@ -7177,6 +7214,8 @@
patches.drivers/i40e-Fix-incorrect-use-of-tx_itr_setting-when-checki.patch
patches.drivers/i40e-Add-programming-descriptors-to-cleaned_count.patch
patches.fixes/tcp-refresh-tp-timestamp-before-tcp_mtu_probe.patch
+ patches.suse/tap-reference-to-KVA-of-an-unloaded-module-causes-ke.patch
+ patches.suse/sctp-reset-owner-sk-for-data-chunks-on-out-queues-wh.patch
patches.drivers/net_sched-avoid-matching-qdisc-with-zero-handle.patch
patches.fixes/sctp-fix-some-type-cast-warnings-introduced-by-trans.patch
patches.fixes/sctp-fix-a-type-cast-warnings-that-causes-a_rwnd-get.patch
@@ -7188,6 +7227,7 @@
patches.drivers/net-hns-set-correct-return-value.patch
patches.fixes/xfrm-Clear-sk_dst_cache-when-applying-per-socket-pol.patch
patches.fixes/xfrm-Fix-GSO-for-IPsec-with-GRE-tunnel.patch
+ patches.suse/tun-tap-sanitize-TUNSETSNDBUF-input.patch
patches.fixes/ipv6-addrconf-increment-ifp-refcount-before-ipv6_del.patch
patches.fixes/tcp-fix-tcp_mtu_probe-vs-highest_sack.patch
patches.drivers/nvme-rdma-fix-possible-hang-when-issuing-commands-du.patch
@@ -7206,8 +7246,10 @@
patches.fixes/userfaultfd-hugetlbfs-prevent-UFFDIO_COPY-to-fill-be.patch
patches.fixes/ocfs2-fstrim-Fix-start-offset-of-first-cluster-group.patch
patches.fixes/mm-swap-fix-race-between-swap-count-continuation-operations.patch
+ patches.suse/tcp_nv-fix-division-by-zero-in-tcpnv_acked.patch
patches.fixes/net-vrf-correct-FRA_L3MDEV-encode-type.patch
patches.fixes/tcp-do-not-mangle-skb-cb-in-tcp_make_synack.patch
+ patches.suse/net-systemport-Correct-IPG-length-settings.patch
patches.drivers/drm-i915-Cancel-the-modeset-retry-work-during-modese
patches.drivers/drm-i915-Do-not-rely-on-wm-preservation-for-ILK-wate
patches.drivers/drm-i915-edp-read-edp-display-control-registers-unco
@@ -7243,10 +7285,13 @@
patches.apparmor/0004-apparmor-fix-off-by-one-comparison-on-MAXMAPPED_SIG.patch
patches.fixes/keys-fix-null-pointer-dereference-during-asn-1-parsing
patches.arch/44-x86-mm-Unbreak-modules-that-rely-on-external-PAGE_KERNEL-availability.patch
+ patches.suse/netfilter-ipvs-clear-ipvs_property-flag-when-SKB-net.patch
patches.fixes/l2tp-don-t-use-l2tp_tunnel_find-in-l2tp_ip-and-l2tp_.patch
patches.drivers/net-mlx5e-core-en_fs-fix-pointer-dereference-after-f.patch
+ patches.suse/bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch
patches.fixes/0001-net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch
patches.fixes/0001-net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch
+ patches.suse/qmi_wwan-Add-missing-skb_reset_mac_header-call.patch
patches.drivers/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch
patches.drivers/ALSA-usb-audio-support-new-Amanero-Combo384-firmware
patches.drivers/ALSA-timer-Limit-max-instances-per-timer
@@ -7260,6 +7305,7 @@
patches.drivers/Input-elan_i2c-add-ELAN060C-to-the-ACPI-table
patches.fixes/rbd-use-gfp_noio-for-parent-stat-and-data-requests.patch
patches.fixes/tcp-fix-tcp_fastretrans_alert-warning.patch
+ patches.suse/vlan-fix-a-use-after-free-in-vlan_device_event.patch
patches.drivers/net-mlx5-Loop-over-temp-list-to-release-delay-events.patch
patches.drivers/net-mlx5-Cancel-health-poll-before-sending-panic-tea.patch
patches.drivers/net-mlx5e-Fix-napi-poll-with-zero-budget.patch
@@ -8220,7 +8266,9 @@
patches.drivers/iwlwifi-add-new-cards-for-a000-series.patch
patches.drivers/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-ti
patches.drivers/rt2x00usb-mark-device-removed-when-get-ENOENT-usb-er
+ patches.suse/af_netlink-ensure-that-NLMSG_DONE-never-fails-in-dum.patch
patches.drivers/NFC-fix-device-allocation-error-return
+ patches.suse/vxlan-fix-the-issue-that-neigh-proxy-blocks-all-icmp.patch
patches.drivers/cxgb4-collect-LE-TCAM-dump.patch
patches.drivers/cxgb4-collect-SGE-queue-context-dump.patch
patches.fixes/bpf-improve-verifier-ARG_CONST_SIZE_OR_ZERO-semantic.patch
@@ -9110,6 +9158,8 @@
patches.arch/clk-imx-imx7d-Fix-parent-clock-for-OCRAM_CLK.patch
patches.fixes/sctp-check-stream-reset-info-len-before-making-recon.patch
patches.suse/msft-hv-1517-hv_netvsc-preserve-hw_features-on-mtu-channels-ringp.patch
+ patches.suse/fealnx-Fix-building-error-on-MIPS.patch
+ patches.suse/net-sctp-Always-set-scope_id-in-sctp_inet6_skb_msgna.patch
patches.drivers/nfp-fix-flower-offload-metadata-flag-usage.patch
patches.drivers/nfp-fix-vlan-receive-MAC-statistics-typo.patch
patches.drivers/nfp-inherit-the-max_mtu-from-the-PF-netdev.patch
@@ -9180,11 +9230,13 @@
patches.fixes/scsi-bnx2fc-Fix-hung-task-messages-when-a-cleanup-re.patch
patches.drivers/net-sched-fix-crash-when-deleting-secondary-chains.patch
patches.fixes/ipv6-Do-not-consider-linkdown-nexthops-during-multip.patch
+ patches.suse/net-realtek-r8169-implement-set_link_ksettings.patch
patches.fixes/net-accept-UFO-datagrams-from-tuntap-and-packet.patch
patches.fixes/bpf-change-bpf_probe_write_user-to-bpf_trace_printk-.patch
patches.fixes/bpf-introduce-ARG_PTR_TO_MEM_OR_NULL.patch
patches.fixes/bpf-remove-explicit-handling-of-0-for-arg2-in-bpf_pr.patch
patches.fixes/bpf-fix-branch-pruning-logic.patch
+ patches.suse/net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch
patches.drivers/i40e-fix-the-calculation-of-VFs-mac-addresses.patch
patches.drivers/ixgbe-Fix-skb-list-corruption-on-Power-systems.patch
patches.drivers/i40e-Use-smp_rmb-rather-than-read_barrier_depends.patch
@@ -9268,6 +9320,7 @@
patches.drivers/bnxt_en-Fix-an-error-handling-path-in-bnxt_get_modul.patch
patches.fixes/packet-fix-crash-in-fanout_demux_rollover.patch
patches.fixes/net-packet-fix-a-race-in-packet_bind-and-packet_noti.patch
+ patches.suse/sctp-use-right-member-as-the-param-of-list_for_each_.patch
patches.drivers/net-sched-cbq-create-block-for-q-link.block.patch
patches.suse/btrfs-move-definition-of-the-function-btrfs_find_new.patch
patches.suse/btrfs-fix-reported-number-of-inode-blocks-after-buff.patch
@@ -9381,6 +9434,7 @@
patches.drivers/i2c-i2c-boardinfo-fix-memory-leaks-on-devinfo
patches.fixes/eeprom-at24-fix-reading-from-24MAC402-24MAC602.patch
patches.fixes/tcp-remove-buggy-call-to-tcp_v6_restore_cb.patch
+ patches.suse/sit-update-frag_off-info.patch
patches.fixes/tcp-dccp-block-bh-before-arming-time_wait-timer.patch
patches.fixes/tipc-call-tipc_rcv-only-if-bearer-is-up-in-tipc_udp_.patch
patches.drivers/bnxt_en-Need-to-unconditionally-shut-down-RoCE-in-bn.patch
@@ -9390,6 +9444,7 @@
patches.drivers/s390-qeth-fix-thinko-in-IPv4-multicast-address-track.patch
patches.drivers/s390-qeth-fix-GSO-throughput-regression.patch
patches.drivers/s390-qeth-build-max-size-GSO-skbs-on-L2-devices.patch
+ patches.suse/stmmac-reset-last-TSO-segment-size-after-device-open.patch
patches.drivers/can-kvaser_usb-free-buf-in-error-paths
patches.drivers/can-kvaser_usb-Fix-comparison-bug-in-kvaser_usb_read
patches.drivers/can-kvaser_usb-ratelimit-errors-if-incomplete-messag
@@ -9488,13 +9543,20 @@
patches.drivers/nfp-fix-port-stats-for-mac-representors.patch
patches.drivers/net_sched-red-Avoid-devision-by-zero.patch
patches.drivers/net_sched-red-Avoid-illegal-values.patch
+ patches.suse/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch
+ patches.suse/net-remove-hlist_nulls_add_tail_rcu.patch
patches.fixes/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
patches.drivers/net-thunderx-Fix-TCP-UDP-checksum-offload-for-IPv4-p.patch
patches.fixes/rds-Fix-NULL-pointer-dereference-in-__rds_rdma_map.patch
+ patches.suse/net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch
+ patches.suse/adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch
patches.fixes/tcp-use-current-time-in-tcp_rcv_space_adjust.patch
patches.fixes/0001-usbnet-fix-alignment-for-frames-with-no-ethernet-hea.patch
patches.fixes/tcp-invalidate-rate-samples-during-SACK-reneging.patch
patches.drivers/sfc-pass-valid-pointers-from-efx_enqueue_unwind.patch
+ patches.suse/tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch
+ patches.suse/tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch
+ patches.suse/tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch
patches.drivers/bnxt_en-Fix-sources-of-spurious-netpoll-warnings.patch
patches.drivers/iwlwifi-mvm-don-t-use-transmit-queue-hang-detection-.patch
patches.drivers/iwlwifi-mvm-fix-the-TX-queue-hang-timeout-for-MONITO
@@ -9591,12 +9653,15 @@
patches.fixes/0001-usb-dwc3-gadget-Wait-longer-for-controller-to-end-co.patch
patches.fixes/0001-usb-dwc3-of-simple-fix-missing-clk_disable_unprepare.patch
patches.fixes/0001-USB-core-prevent-malicious-bNumInterfaces-overflow.patch
+ patches.suse/ptr_ring-add-barriers.patch
patches.fixes/netlink-Add-netns-check-on-taps.patch
patches.fixes/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
patches.fixes/sctp-make-sure-stream-nums-can-match-optlen-in-sctp_.patch
patches.fixes/fou-fix-some-member-types-in-guehdr.patch
patches.fixes/tcp-md5sig-Use-skb-s-saddr-when-replying-to-an-incom.patch
+ patches.suse/ipv6-mcast-better-catch-silly-mtu-values.patch
patches.fixes/ipv4-igmp-guard-against-silly-MTU-values.patch
+ patches.suse/net-igmp-Use-correct-source-address-on-IGMPv3-report.patch
patches.fixes/0001-net-qmi_wwan-add-Sierra-EM7565-1199-9091.patch
patches.fixes/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
patches.fixes/netfilter-xt_bpf-add-overflow-checks.patch
@@ -9608,10 +9673,12 @@
patches.drivers/net-mlx4_en-Fill-all-counters-under-one-call-of-stat.patch
patches.fixes/bpf-fix-corruption-on-concurrent-perf_event_output-c.patch
patches.fixes/bpf-add-schedule-points-to-map-alloc-free.patch
+ patches.suse/mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch
patches.drivers/s390-qeth-apply-takeover-changes-when-mode-is-toggle.patch
patches.drivers/s390-qeth-don-t-apply-takeover-changes-to-RXIP.patch
patches.drivers/s390-qeth-lock-IP-table-while-applying-takeover-chan.patch
patches.drivers/s390-qeth-update-takeover-IPs-after-configuration-ch.patch
+ patches.suse/sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch
patches.fixes/0001-net-usb-qmi_wwan-add-Telit-ME910-PID-0x1101-support.patch
patches.drivers/net-sched-fix-static-key-imbalance-in-case-of-ingres.patch
patches.fixes/0001-nfs-fix-a-deadlock-in-nfs-client-initialization.patch
@@ -9694,7 +9761,9 @@
patches.drivers/bpf-s390x-do-not-reload-skb-pointers-in-non-skb-cont.patch
patches.drivers/bpf-ppc64-do-not-reload-skb-pointers-in-non-skb-cont.patch
patches.fixes/bpf-guarantee-r1-to-be-ctx-in-case-of-bpf_helper_cha.patch
+ patches.suse/net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch
patches.fixes/sctp-add-SCTP_CID_RECONF-conversion-in-sctp_cname.patch
+ patches.suse/net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch
patches.drivers/nl80211-fix-nl80211_send_iface-error-paths
patches.drivers/mac80211_hwsim-Fix-a-possible-sleep-in-atomic-bug-in
patches.drivers/tg3-Fix-rx-hang-on-MTU-change-with-5717-5719.patch
@@ -9717,6 +9786,7 @@
patches.drivers/net-mlx5-Cleanup-IRQs-in-case-of-unload-failure.patch
patches.drivers/net-mlx5-Stay-in-polling-mode-when-command-EQ-destro.patch
patches.drivers/s390-qeth-fix-error-handling-in-checksum-cmd-callbac.patch
+ patches.suse/ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch
patches.drivers/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch
patches.drivers/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
patches.fixes/bpf-fix-incorrect-tracking-of-register-size-truncati.patch
@@ -9728,6 +9798,7 @@
patches.fixes/selftests-bpf-add-tests-for-recent-bugfixes.patch
patches.fixes/bpf-do-not-allow-root-to-mangle-valid-pointers.patch
patches.fixes/openvswitch-Fix-pop_vlan-action-for-double-tagged-fr.patch
+ patches.suse/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch
patches.arch/clk-fix-a-panic-error-caused-by-accessing-NULL-point.patch
patches.drivers/drm-i915-Flush-pending-GTT-writes-before-unbinding
patches.drivers/drm-i915-Drop-fb-reference-on-load_detect_pipe-failu
@@ -9809,12 +9880,17 @@
patches.drivers/led-core-Fix-brightness-setting-when-setting-delay_o
patches.drivers/drm-i915-gvt-Fix-pipe-A-enable-as-default-for-vgpu
patches.drivers/i915-Reject-CCS-modifiers-for-pipe-C-on-Geminilake
+ patches.suse/ip6_gre-fix-device-features-for-ioctl-setup.patch
+ patches.suse/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch
+ patches.suse/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch
+ patches.suse/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch
patches.fixes/xfrm-Fix-xfrm_input-to-verify-state-is-valid-when-en.patch
patches.fixes/xfrm-Reinject-transport-mode-packets-through-tasklet.patch
patches.drivers/tg3-Add-workaround-to-restrict-5762-MRRS-to-2048.patch
patches.drivers/tg3-Enable-PHY-reset-in-MTU-change-path-for-5720.patch
patches.drivers/bnx2x-Improve-reliability-in-case-of-nested-PCI-erro.patch
patches.fixes/sctp-Replace-use-of-sockets_allocated-with-specified.patch
+ patches.suse/tipc-fix-hanging-poll-for-stream-sockets.patch
patches.fixes/sock-Add-sock_owned_by_user_nocheck.patch
patches.fixes/strparser-Call-sock_owned_by_user_nocheck.patch
patches.arch/01-x86-cpufeatures-add-x86_bug_cpu_insecure.patch
@@ -9863,6 +9939,7 @@
patches.fixes/0001-USB-serial-option-adding-support-for-YUGA-CLM920-NC5.patch
patches.fixes/0001-USB-serial-ftdi_sio-add-id-for-Airbus-DS-P8GR.patch
patches.fixes/0001-usb-xhci-Add-XHCI_TRUST_TX_LENGTH-for-Renesas-uPD720.patch
+ patches.suse/n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch
patches.drivers/drivers-base-cacheinfo-fix-cache-type-for-non-archit
patches.drivers/0001-thunderbolt-Mask-ring-interrupt-properly-when-pollin.patch
patches.suse/msft-hv-1520-vmbus-unregister-device_obj-channels_kset.patch
@@ -9927,11 +10004,17 @@
patches.drivers/RDMA-netlink-Fix-locking-around-__ib_get_device_by_i.patch
patches.drivers/IB-srpt-Disable-RDMA-access-by-the-initiator.patch
patches.drivers/IB-srpt-Fix-ACL-lookup-during-login.patch
+ patches.suse/ip6_tunnel-disable-dst-caching-if-tunnel-is-dual-sta.patch
+ patches.suse/mlxsw-spectrum_router-Fix-NULL-pointer-deref.patch
+ patches.suse/mlxsw-spectrum-Relax-sanity-checks-during-enslavemen.patch
patches.drivers/net-sched-Fix-update-of-lastuse-in-act-modules-imple.patch
patches.fixes/0001-NET-usb-qmi_wwan-add-support-for-YUGA-CLM920-NC5-PID.patch
+ patches.suse/ethtool-do-not-print-warning-for-applications-using-.patch
patches.fixes/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
patches.drivers/e1000-fix-disabling-already-disabled-warning.patch
patches.suse/e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+ patches.suse/net-fec-restore-dev_id-in-the-cases-of-probe-error.patch
+ patches.suse/net-fec-defer-probe-if-regulator-is-not-ready.patch
patches.drivers/cxgb4-Fix-FW-flash-errors.patch
patches.drivers/net-ena-unmask-MSI-X-only-after-device-initializatio.patch
patches.drivers/net-ena-fix-error-handling-in-ena_down-sequence.patch
@@ -9939,13 +10022,19 @@
patches.drivers/i40e-don-t-remove-netdev-dev_addr-when-syncing-uc-li.patch
patches.drivers/nl80211-Check-for-the-required-netlink-attribute-pre
patches.drivers/mac80211-mesh-drop-frames-appearing-to-be-from-us
+ patches.suse/net-stmmac-enable-EEE-in-MII-GMII-or-RGMII-only.patch
+ patches.suse/sh_eth-fix-TSU-resource-handling.patch
patches.fixes/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
patches.fixes/netfilter-uapi-correct-untracked-conntrack-state-bit-number
+ patches.suse/net-fec-free-restore-resource-in-related-probe-error.patch
patches.drivers/can-vxcan-improve-handling-of-missing-peer-name-attr
patches.drivers/can-gs_usb-fix-return-value-of-the-set_bittiming-cal
patches.drivers/can-flex_can-Correct-the-checking-for-frame-length-i
+ patches.suse/sh_eth-fix-SH7757-GEther-initialization.patch
patches.drivers/bnxt_en-Fix-population-of-flow_type-in-bnxt_hwrm_cfa.patch
patches.drivers/bnxt_en-Fix-the-Invalid-VF-id-check-in-bnxt_vf_ndo_p.patch
+ patches.suse/sctp-do-not-retransmit-upon-FragNeeded-if-PMTU-disco.patch
+ patches.suse/sctp-fix-the-handling-of-ICMP-Frag-Needed-for-too-sm.patch
patches.drivers/block-drain-queue-before-waiting-for-q_usage_counter.patch
patches.drivers/nvme-pci-move-use_sgl-initialization-to-nvme_init_io.patch
patches.drivers/nvme-fix-sector-units-when-going-between-formats.patch
@@ -9960,14 +10049,17 @@
patches.drivers/ALSA-aloop-Fix-racy-hw-constraints-adjustment
patches.drivers/ALSA-pcm-Abort-properly-at-pending-signal-in-OSS-rea
patches.drivers/ALSA-pcm-Allow-aborting-mutex-lock-at-OSS-read-write
+ patches.suse/net-core-fix-module-type-in-sock_diag_bind.patch
patches.fixes/net-ipv4-emulate-READ_ONCE-on-hdrincl-bit-field-in-r.patch
patches.fixes/selftests-bpf-fix-test_align.patch
patches.suse/bpf-prevent-out-of-bounds-speculation.patch
patches.fixes/bpf-introduce-BPF_JIT_ALWAYS_ON-config.patch
patches.drivers/0001-iwlwifi-pcie-fix-DMA-memory-mapping-unmapping.patch
patches.drivers/wcn36xx-Fix-dynamic-power-saving
+ patches.suse/8021q-fix-a-memory-leak-for-VLAN-0-device.patch
patches.drivers/nfp-always-unmask-aux-interrupts-at-init.patch
patches.fixes/ipv6-fix-possible-mem-leaks-in-ipv6_make_skb.patch
+ patches.suse/ipv6-sr-fix-TLVs-not-being-copied-using-setsockopt.patch
patches.fixes/rbd-reacquire-lock-should-update-lock-owner-client-id
patches.fixes/rbd-set-max_segments-to-ushrt_max
patches.drivers/drm-vc4-Move-IRQ-enable-to-PM-path
@@ -10145,10 +10237,12 @@
patches.drivers/ibmvnic-Revert-to-previous-mtu-when-unsupported-valu.patch
patches.drivers/ibmvnic-Allocate-and-request-vpd-in-init_resources.patch
patches.fixes/gso-validate-gso_type-in-GSO-handlers.patch
+ patches.suse/net-igmp-fix-source-address-check-for-IGMPv3-reports.patch
patches.drivers/be2net-restore-properly-promisc-mode-after-queues-re.patch
patches.suse/x86-ftrace-Fix-ORC-unwinding-from-ftrace-handlers.patch
patches.suse/0001-ftrace-orc-x86-Handle-ftrace-dynamically-allocated-t.patch
patches.suse/0002-tracing-Update-stack-trace-skipping-for-ORC-unwinder.patch
+ patches.suse/ipv6-Fix-getsockopt-for-sockets-with-default-IPV6_AU.patch
patches.drivers/vmxnet3-repair-memory-leak
patches.fixes/xfrm-Add-SA-to-hardware-at-the-end-of-xfrm_state_con.patch
patches.suse/btrfs-fix-stale-entries-in-readdir.patch
@@ -10835,6 +10929,10 @@
patches.drivers/iio-ABI-Fix-name-of-timestamp-sysfs-file
patches.drivers/iio-imu-st_lsm6dsx-fix-endianness-in-st_lsm6dsx_read
patches.drivers/iio-adc-stm32-fix-scan-of-multiple-channels-with-DMA
+ patches.fixes/firmware-add-helper-to-unregister-pm-ops.patch
+ patches.fixes/firmware-fix-capturing-errors-on-fw_cache_init-on-ea.patch
+ patches.fixes/firmware-provide-helpers-for-registering-the-syfs-lo.patch
+ patches.fixes/firmware-fix-detecting-error-on-register_reboot_noti.patch
patches.drivers/coresight-Fix-disabling-of-CoreSight-TPIU
patches.drivers/mei-me-allow-runtime-pm-for-platform-with-D0i3
patches.suse/msft-hv-1540-vmbus-make-channel-attributes-static.patch
@@ -11363,6 +11461,7 @@
patches.fixes/netfilter-ipt_CLUSTERIP-fix-out-of-bounds-accesses-i.patch
patches.fixes/netfilter-on-sockopt-acquire-sock-lock-only-in-the-r.patch
patches.drivers/ibmvnic-fix-firmware-version-when-no-firmware-level-.patch
+ patches.suse/net-igmp-add-a-missing-rcu-locking-section.patch
patches.fixes/Revert-defer-call-to-mem_cgroup_sk_alloc.patch
patches.drivers/firmware-dmi_scan-Fix-handling-of-empty-DMI-strings
patches.fixes/mbcache-initialize-entry-e_referenced-in-mb_cache_en.patch
@@ -11851,6 +11950,7 @@
patches.drivers/net-mlx5-Add-header-re-write-to-the-checks-for-confl.patch
patches.fixes/bpf-fix-memory-leak-in-lpm_trie-map_free-callback-fu.patch
patches.fixes/bpf-fix-mlock-precharge-on-arraymaps.patch
+ patches.suse/netlink-put-module-reference-if-dump-start-fails.patch
patches.fixes/tcp_bbr-better-deal-with-suboptimal-GSO.patch
patches.fixes/net-ipv4-Set-addr_type-in-hash_keys-for-forwarded-ca.patch
patches.drivers/ibmvnic-Fix-early-release-of-login-buffer.patch
@@ -12848,6 +12948,7 @@
patches.arch/s390-cio-update-chpid-descriptor-after-resource-acce.patch
patches.arch/s390-uprobes-implement-arch_uretprobe_is_alive.patch
patches.arch/s390-dasd-fix-IO-error-for-newly-defined-devices.patch
+ patches.drivers/ACPI-scan-Initialize-watchdog-before-PNP.patch
patches.drivers/ACPI-button-make-module-loadable-when-booted-in-non-
patches.drivers/ACPI-video-Only-default-only_lcd-to-true-on-Win8-rea
patches.drivers/drm-amdgpu-set-COMPUTE_PGM_RSRC1-for-SGPR-VGPR-clear
@@ -12890,6 +12991,7 @@
patches.fixes/ext4-set-h_journal-if-there-is-a-failure-starting-a-.patch
patches.fixes/ext4-fix-bitmap-position-validation.patch
patches.fixes/ext4-add-MODULE_SOFTDEP-to-ensure-crc32c-is-included.patch
+ patches.fixes/x86-do-not-reserve-crash-kernel-if-booted-on-xen-pv.patch
patches.drivers/Input-leds-fix-out-of-bound-access
patches.drivers/Input-atmel_mxt_ts-add-touchpad-button-mapping-for-S
patches.fixes/0001-NET-usb-qmi_wwan-add-support-for-ublox-R410M-PID-0x9.patch
@@ -12991,6 +13093,7 @@
patches.drivers/cfg80211-further-limit-wiphy-names-to-64-bytes
patches.drivers/ibmvnic-Only-do-H_EOI-for-mobility-events.patch
patches.drivers/ibmvnic-Fix-partial-success-login-retries.patch
+ patches.suse/kernel-sys.c-fix-potential-Spectre-v1-issue.patch
patches.drivers/Input-synaptics-Lenovo-Carbon-X1-Gen5-2017-devices-s
patches.drivers/Input-synaptics-Lenovo-Thinkpad-X1-Carbon-G5-2017-wi
patches.drivers/Input-synaptics-add-Intertouch-support-on-X1-Carbon-
@@ -13106,6 +13209,8 @@
patches.drivers/scsi-qla2xxx-Delete-session-for-nport-id-change.patch
patches.drivers/ubi-fastmap-Cancel-work-upon-detach
patches.drivers/drm-i915-Remove-stale-asserts-from-i915_gem_find_act
+ patches.fixes/ceph-fix-st_nlink-stat-for-directories.patch
+ patches.suse/mremap-Remove-LATENCY_LIMIT-from-mremap-to-reduce-the-number-of-TLB-shootdowns.patch
patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-EliteBook-830
patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-ProBook-640-G4
patches.drivers/ALSA-usb-audio-Disable-the-quirk-for-Nura-headset
@@ -13113,6 +13218,7 @@
patches.drivers/ALSA-usb-audio-Add-native-DSD-support-for-Mytek-DACs
patches.drivers/ALSA-usb-audio-Generic-DSD-detection-for-XMOS-based-
patches.drivers/ALSA-usb-audio-Remove-explicitly-listed-Mytek-device
+ patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch
# jejb/scsi for-next
patches.drivers/0001-qla2xxx-Mask-off-Scope-bits-in-retry-delay.patch
@@ -13245,7 +13351,6 @@
patches.fixes/0001-autofs-revert-autofs-take-more-care-to-not-update-la.patch
patches.fixes/dcache-add-cond_resched-in-shrink_dentry_list.patch
patches.suse/sched-numa-Stagger-NUMA-balancing-scan-periods-for-new-threads.patch
- patches.suse/mremap-Remove-LATENCY_LIMIT-from-mremap-to-reduce-the-number-of-TLB-shootdowns.patch
########################################################
# misc small fixes
@@ -13325,7 +13430,6 @@
########################################################
# cephfs
########################################################
- patches.fixes/ceph-fix-st_nlink-stat-for-directories.patch
########################################################
# Suse specific stuff
@@ -13345,7 +13449,6 @@
########################################################
patches.arch/acpi_thinkpad_introduce_acpi_root_table_boot_param.patch
patches.arch/acpi_thermal_passive_blacklist.patch
- patches.drivers/ACPI-scan-Initialize-watchdog-before-PNP.patch
########################################################
# Driver core
@@ -13628,6 +13731,7 @@
patches.fixes/0002-rbd-make-sure-pages-are-freed-by-libceph.patch
patches.fixes/target-rbd-handle-zero-length-UNMAP-requests-early.patch
patches.fixes/target-rbd-use-target_configure_unmap_from_queue-hel.patch
+ patches.drivers/target-transport-should-handle-st-FM-EOM-ILI-reads.patch
########################################################
# device-mapper
@@ -13757,6 +13861,8 @@
patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch
patches.kabi/x86-cpuinfo_x86-ignore-initialized-member.patch
patches.kabi/powerpc-livepatch-fix-kabi-breaker-stacktraces.patch
+ patches.kabi/kabi-protect-tap_create_cdev.patch
+ patches.kabi/kabi-protect-struct-ipv6_pinfo.patch
# SSB
patches.suse/01-x86-nospec-simplify-alternative_msr_write.patch
@@ -13811,6 +13917,7 @@
patches.arch/46-kvm-x86-ia32_arch_capabilities-is-always-supported.patch
patches.arch/47-kvm-vmx-expose-ssbd-properly-to-guests.patch
patches.kabi/fix-kvm-kabi.patch
+ patches.arch/x86-pti-xenpv-dont-report-as-vulnerable.patch
patches.kabi/mm-swap-fix-race-between-swap-count-continuation-operation-kabi.patch