From 952a7a1931009b6589bdb3d95ba6cb3c6acf95d4 Mon Sep 17 00:00:00 2001
From: Hangbin Liu <liuhangbin@gmail.com>
Date: Thu, 27 Sep 2018 15:28:36 +0800
Subject: [PATCH 1/4] vxlan: show correct ttl inherit info

We should only show ttl inherit when IFLA_VXLAN_TTL_INHERIT supplied.
Otherwise show the ttl number, or auto when it is 0.

Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 ip/iplink_vxlan.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/ip/iplink_vxlan.c b/ip/iplink_vxlan.c
index 831f39a2..7fc0e2b4 100644
--- a/ip/iplink_vxlan.c
+++ b/ip/iplink_vxlan.c
@@ -145,7 +145,7 @@ static int vxlan_parse_opt(struct link_util *lu, int argc, char **argv,
 			NEXT_ARG();
 			check_duparg(&attrs, IFLA_VXLAN_TTL, "ttl", *argv);
 			if (strcmp(*argv, "inherit") == 0) {
-				addattr_l(n, 1024, IFLA_VXLAN_TTL_INHERIT, NULL, 0);
+				addattr(n, 1024, IFLA_VXLAN_TTL_INHERIT);
 			} else if (strcmp(*argv, "auto") == 0) {
 				addattr8(n, 1024, IFLA_VXLAN_TTL, ttl);
 			} else {
@@ -527,12 +527,16 @@ static void vxlan_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
 			print_string(PRINT_FP, NULL, "tos %s ", "inherit");
 	}
 
-	if (tb[IFLA_VXLAN_TTL])
-		ttl = rta_getattr_u8(tb[IFLA_VXLAN_TTL]);
-	if (is_json_context() || ttl)
-		print_uint(PRINT_ANY, "ttl", "ttl %u ", ttl);
-	else
+	if (tb[IFLA_VXLAN_TTL_INHERIT] &&
+	    rta_getattr_u8(tb[IFLA_VXLAN_TTL_INHERIT])) {
 		print_string(PRINT_FP, NULL, "ttl %s ", "inherit");
+	} else if (tb[IFLA_VXLAN_TTL]) {
+		ttl = rta_getattr_u8(tb[IFLA_VXLAN_TTL]);
+		if (is_json_context() || ttl)
+			print_uint(PRINT_ANY, "ttl", "ttl %u ", ttl);
+		else
+			print_string(PRINT_FP, NULL, "ttl %s ", "auto");
+	}
 
 	if (tb[IFLA_VXLAN_LABEL]) {
 		__u32 label = rta_getattr_u32(tb[IFLA_VXLAN_LABEL]);

From 650a10e032bd03db42426aba1a8fdd130f248a8b Mon Sep 17 00:00:00 2001
From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Thu, 4 Oct 2018 17:08:34 -0700
Subject: [PATCH 2/4] tc: jsonify output of q_fifo

Print limits correctly in JSON context.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 tc/q_fifo.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/tc/q_fifo.c b/tc/q_fifo.c
index cb86a404..61493fbb 100644
--- a/tc/q_fifo.c
+++ b/tc/q_fifo.c
@@ -69,9 +69,12 @@ static int fifo_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt)
 	qopt = RTA_DATA(opt);
 	if (strcmp(qu->id, "bfifo") == 0) {
 		SPRINT_BUF(b1);
-		fprintf(f, "limit %s", sprint_size(qopt->limit, b1));
-	} else
-		fprintf(f, "limit %up", qopt->limit);
+		print_uint(PRINT_JSON, "limit", NULL, qopt->limit);
+		print_string(PRINT_FP, NULL, "limit %s",
+			     sprint_size(qopt->limit, b1));
+	} else {
+		print_uint(PRINT_ANY, "limit", "limit %up", qopt->limit);
+	}
 	return 0;
 }
 

From 8c50b728b226f6254251282697ce38a72639a6fc Mon Sep 17 00:00:00 2001
From: Vlad Buslov <vladbu@mellanox.com>
Date: Mon, 8 Oct 2018 23:52:26 +0300
Subject: [PATCH 3/4] libnetlink: fix use-after-free of message buf

In __rtnl_talk_iov() main loop, err is a pointer to memory in dynamically
allocated 'buf' that is used to store netlink messages. If netlink message
is an error message, buf is deallocated before returning with error code.
However, on return err->error code is checked one more time to generate
return value, after memory which err points to has already been
freed. Save error code in temporary variable and use the variable to
generate return value.

Fixes: c60389e4f9ea ("libnetlink: fix leak and using unused memory on error")
Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 lib/libnetlink.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index f18dceac..a9932d42 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -656,6 +656,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
 
 			if (h->nlmsg_type == NLMSG_ERROR) {
 				struct nlmsgerr *err = (struct nlmsgerr *)NLMSG_DATA(h);
+				int error = err->error;
 
 				if (l < sizeof(struct nlmsgerr)) {
 					fprintf(stderr, "ERROR truncated\n");
@@ -679,7 +680,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
 				else
 					free(buf);
 
-				return err->error ? -i : 0;
+				return error ? -i : 0;
 			}
 
 			if (answer) {

From bfb3bf189f49ca401a9260447b4c5055acadae46 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen@networkplumber.org>
Date: Tue, 9 Oct 2018 09:46:11 -0700
Subject: [PATCH 4/4] libnetlink: use local variable

Now that err->error is in local variable, use it consistently.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 lib/libnetlink.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/libnetlink.c b/lib/libnetlink.c
index a9932d42..d9de4f20 100644
--- a/lib/libnetlink.c
+++ b/lib/libnetlink.c
@@ -664,11 +664,11 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
 					return -1;
 				}
 
-				if (!err->error)
+				if (!error) {
 					/* check messages from kernel */
 					nl_dump_ext_ack(h, errfn);
-				else {
-					errno = -err->error;
+				} else {
+					errno = -error;
 
 					if (rtnl->proto != NETLINK_SOCK_DIAG &&
 					    show_rtnl_err)