backport some patches from community

backport-devlink-fix-devlink-health-dump-command-without-arg.patch

@@ -0,0 +1,68 @@
+From e81fd551a1a0ffa7983d25f5e756a5c5b6cb4a9a Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@nvidia.com>
+Date: Tue, 19 Apr 2022 19:15:11 +0200
+Subject: [PATCH] devlink: fix "devlink health dump" command without arg
+
+Fix bug when user calls "devlink health dump" without "show" or "clear":
+$ devlink health dump
+Command "(null)" not found
+
+Put the dump command into a separate helper as it is usual in the rest
+of the code. Also, treat no cmd as "show", as it is common for other
+devlink objects.
+
+Fixes: 041e6e651a8e ("devlink: Add devlink health dump show command")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=e81fd551a1a
+---
+ devlink/devlink.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/devlink/devlink.c b/devlink/devlink.c
+index da9f9778..aab739f7 100644
+--- a/devlink/devlink.c
++++ b/devlink/devlink.c
+@@ -8526,6 +8526,23 @@ static void cmd_health_help(void)
+ 	pr_err("                          [ auto_dump    { true | false } ]\n");
+ }
+ 
++static int cmd_health_dump(struct dl *dl)
++{
++	if (dl_argv_match(dl, "help")) {
++		cmd_health_help();
++		return 0;
++	} else if (dl_argv_match(dl, "show") ||
++		   dl_argv_match(dl, "list") || dl_no_arg(dl)) {
++		dl_arg_inc(dl);
++		return cmd_health_dump_show(dl);
++	} else if (dl_argv_match(dl, "clear")) {
++		dl_arg_inc(dl);
++		return cmd_health_dump_clear(dl);
++	}
++	pr_err("Command \"%s\" not found\n", dl_argv(dl));
++	return -ENOENT;
++}
++
+ static int cmd_health(struct dl *dl)
+ {
+ 	if (dl_argv_match(dl, "help")) {
+@@ -8546,13 +8563,7 @@ static int cmd_health(struct dl *dl)
+ 		return cmd_health_test(dl);
+ 	} else if (dl_argv_match(dl, "dump")) {
+ 		dl_arg_inc(dl);
+-		if (dl_argv_match(dl, "show")) {
+-			dl_arg_inc(dl);
+-			return cmd_health_dump_show(dl);
+-		} else if (dl_argv_match(dl, "clear")) {
+-			dl_arg_inc(dl);
+-			return cmd_health_dump_clear(dl);
+-		}
++		return cmd_health_dump(dl);
+ 	} else if (dl_argv_match(dl, "set")) {
+ 		dl_arg_inc(dl);
+ 		return cmd_health_set_params(dl);
+-- 
+2.23.0
+

backport-ip-Fix-size_columns-for-very-large-values.patch

@@ -0,0 +1,47 @@
+From 024103923a5c826e40c993be4ee2ada5536cb66a Mon Sep 17 00:00:00 2001
+From: Petr Machata <petrm@nvidia.com>
+Date: Mon, 27 Jun 2022 15:18:21 +0200
+Subject: [PATCH] ip: Fix size_columns() for very large values
+
+For values near the 64-bit boundary, the iterative application of
+powi *= 10 causes powi to overflow without the termination condition of
+powi >= val having ever been satisfied. Instead, when determining the
+length of the number, iterate val /= 10 and terminate when it's a single
+digit.
+
+Fixes: 49437375b6c1 ("ip: dynamically size columns when printing stats")
+CC: Tariq Toukan <tariqt@nvidia.com>
+CC: Itay Aveksis <itayav@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: void size_columns to static void size_colunms
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=024103923a5
+---
+ ip/ipaddress.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ip/ipaddress.c b/ip/ipaddress.c
+index 17341d28..5a3b1cae 100644
+--- a/ip/ipaddress.c
++++ b/ip/ipaddress.c
+@@ -549,7 +549,7 @@ static void print_vfinfo(FILE *fp, struct ifinfomsg *ifi, struct rtattr *vfinfo)
+ static void size_columns(unsigned int cols[], unsigned int n, ...)
+ {
+ 	unsigned int i, len;
+-	uint64_t val, powi;
++	uint64_t val;
+ 	va_list args;
+ 
+ 	va_start(args, n);
+@@ -560,7 +560,7 @@ void size_columns(unsigned int cols[], unsigned int n, ...)
+ 		if (human_readable)
+ 			continue;
+ 
+-		for (len = 1, powi = 10; powi < val; len++, powi *= 10)
++		for (len = 1; val > 9; len++, val /= 10)
+ 			/* nothing */;
+ 		if (len > cols[i])
+ 			cols[i] = len;
+-- 
+2.23.0
+

backport-ip-Fix-size_columns-invocation-that-passes-a-32-bit-.patch

@@ -0,0 +1,53 @@
+From 329fda1861560b06e60a7bd1004647bb65708295 Mon Sep 17 00:00:00 2001
+From: Petr Machata <petrm@nvidia.com>
+Date: Tue, 28 Jun 2022 12:17:31 +0200
+Subject: [PATCH] ip: Fix size_columns() invocation that passes a 32-bit
+ quantity
+
+In print_stats64(), the last size_columns() invocation passes number of
+carrier changes as one of the arguments. The value is decoded as a 32-bit
+quantity, but size_columns() expects a 64-bit one. This is undefined
+behavior.
+
+The reason valgrind does not cite this is that the previous size_columns()
+invocations prime the ABI area used for the value transfer. When these
+other invocations are commented away, valgrind does complain that
+"conditional jump or move depends on uninitialised value", as would be
+expected.
+
+Fixes: 49437375b6c1 ("ip: dynamically size columns when printing stats")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=329fda18615
+---
+ ip/ipaddress.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/ip/ipaddress.c b/ip/ipaddress.c
+index 5a3b1cae..a288341c 100644
+--- a/ip/ipaddress.c
++++ b/ip/ipaddress.c
+@@ -783,13 +783,15 @@ void print_stats64(FILE *fp, struct rtnl_link_stats64 *s,
+ 			     s->tx_bytes, s->tx_packets, s->tx_errors,
+ 			     s->tx_dropped, s->tx_carrier_errors,
+ 			     s->collisions, s->tx_compressed);
+-		if (show_stats > 1)
++		if (show_stats > 1) {
++			uint64_t cc = carrier_changes ?
++				      rta_getattr_u32(carrier_changes) : 0;
++
+ 			size_columns(cols, ARRAY_SIZE(cols), 0, 0,
+ 				     s->tx_aborted_errors, s->tx_fifo_errors,
+ 				     s->tx_window_errors,
+-				     s->tx_heartbeat_errors,
+-				     carrier_changes ?
+-				     rta_getattr_u32(carrier_changes) : 0);
++				     s->tx_heartbeat_errors, cc);
++		}
+ 
+ 		/* RX stats */
+ 		fprintf(fp, "    RX: %*s %*s %*s %*s %*s %*s %*s%s",
+-- 
+2.23.0
+

backport-l2tp-fix-typo-in-AF_INET6-checksum-JSON-print.patch

@@ -0,0 +1,35 @@
+From 2bb37e90177cae1b92284a943123b0575505141f Mon Sep 17 00:00:00 2001
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Tue, 21 Jun 2022 18:53:08 +0200
+Subject: [PATCH] l2tp: fix typo in AF_INET6 checksum JSON print
+
+In print_tunnel json output, a typo makes it impossible to know the
+value of udp6_csum_rx, printing instead udp6_csum_tx two times.
+
+Fixed getting rid of the typo.
+
+Fixes: 98453b65800f ("ip/l2tp: add JSON support")
+Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=2bb37e90177
+---
+ ip/ipl2tp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ip/ipl2tp.c b/ip/ipl2tp.c
+index 56972358..f1d574de 100644
+--- a/ip/ipl2tp.c
++++ b/ip/ipl2tp.c
+@@ -258,7 +258,7 @@ static void print_tunnel(const struct l2tp_data *data)
+ 					   NULL, p->udp6_csum_tx);
+ 
+ 				print_bool(PRINT_JSON, "checksum_rx",
+-					   NULL, p->udp6_csum_tx);
++					   NULL, p->udp6_csum_rx);
+ 			} else {
+ 				printf("  UDP checksum: %s%s%s%s\n",
+ 				       p->udp6_csum_tx && p->udp6_csum_rx
+-- 
+2.23.0
+

backport-libnetlink-fix-socket-leak-in-rtnl_open_byproto.patch

@@ -0,0 +1,75 @@
+From f8beda6e00e57b8f875442351f91e5c01530ad8e Mon Sep 17 00:00:00 2001
+From: Maxim Petrov <mmrmaximuzz@gmail.com>
+Date: Tue, 8 Feb 2022 20:20:45 +0300
+Subject: [PATCH] libnetlink: fix socket leak in rtnl_open_byproto()
+
+rtnl_open_byproto() does not close the opened socket in case of
+errors, and the socket is returned to the caller in the `fd` field of
+the struct. However, none of the callers care about the socket, so
+close it in the function immediately to avoid any potential resource
+leaks.
+
+Signed-off-by: Maxim Petrov <mmrmaximuzz@gmail.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=f8beda6e00e
+---
+ lib/libnetlink.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/lib/libnetlink.c b/lib/libnetlink.c
+index 7e977a67..6d1b1187 100644
+--- a/lib/libnetlink.c
++++ b/lib/libnetlink.c
+@@ -210,13 +210,13 @@ int rtnl_open_byproto(struct rtnl_handle *rth, unsigned int subscriptions,
+ 	if (setsockopt(rth->fd, SOL_SOCKET, SO_SNDBUF,
+ 		       &sndbuf, sizeof(sndbuf)) < 0) {
+ 		perror("SO_SNDBUF");
+-		return -1;
++		goto err;
+ 	}
+ 
+ 	if (setsockopt(rth->fd, SOL_SOCKET, SO_RCVBUF,
+ 		       &rcvbuf, sizeof(rcvbuf)) < 0) {
+ 		perror("SO_RCVBUF");
+-		return -1;
++		goto err;
+ 	}
+ 
+ 	/* Older kernels may no support extended ACK reporting */
+@@ -230,25 +230,28 @@ int rtnl_open_byproto(struct rtnl_handle *rth, unsigned int subscriptions,
+ 	if (bind(rth->fd, (struct sockaddr *)&rth->local,
+ 		 sizeof(rth->local)) < 0) {
+ 		perror("Cannot bind netlink socket");
+-		return -1;
++		goto err;
+ 	}
+ 	addr_len = sizeof(rth->local);
+ 	if (getsockname(rth->fd, (struct sockaddr *)&rth->local,
+ 			&addr_len) < 0) {
+ 		perror("Cannot getsockname");
+-		return -1;
++		goto err;
+ 	}
+ 	if (addr_len != sizeof(rth->local)) {
+ 		fprintf(stderr, "Wrong address length %d\n", addr_len);
+-		return -1;
++		goto err;
+ 	}
+ 	if (rth->local.nl_family != AF_NETLINK) {
+ 		fprintf(stderr, "Wrong address family %d\n",
+ 			rth->local.nl_family);
+-		return -1;
++		goto err;
+ 	}
+ 	rth->seq = time(NULL);
+ 	return 0;
++err:
++	rtnl_close(rth);
++	return -1;
+ }
+ 
+ int rtnl_open(struct rtnl_handle *rth, unsigned int subscriptions)
+-- 
+2.23.0
+

backport-lnstat-fix-buffer-overflow-in-header-output.patch

@@ -0,0 +1,37 @@
+From be31c2648487596f23096278dacd86bf88305a14 Mon Sep 17 00:00:00 2001
+From: "[200~jiangheng" <jiangheng12@huawei.com>
+Date: Wed, 17 Nov 2021 13:41:10 -0800
+Subject: [PATCH] lnstat: fix buffer overflow in header output
+
+Running lnstat will cause core dump from reading past end of array.
+
+Segmentation fault (core dumped)
+
+The maximum  value of th.num_lines is HDR_LINES(10),  h should not be equal to th.num_lines, array th.hdr may be out of bounds.
+
+Signed-off-by jiangheng <jiangheng12@huawei.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=be31c264848
+---
+ misc/lnstat.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/misc/lnstat.c b/misc/lnstat.c
+index 89cb0e7e..98904d45 100644
+--- a/misc/lnstat.c
++++ b/misc/lnstat.c
+@@ -210,8 +210,9 @@ static struct table_hdr *build_hdr_string(struct lnstat_file *lnstat_files,
+ 		}
+ 		ofs += width+1;
+ 	}
++
+ 	/* fill in spaces */
+-	for (h = 1; h <= th.num_lines; h++) {
++	for (h = 1; h < th.num_lines; h++) {
+ 		for (i = 0; i < ofs; i++) {
+ 			if (th.hdr[h][i] == '\0')
+ 				th.hdr[h][i] = ' ';
+-- 
+2.23.0
+

backport-lnstat-fix-strdup-leak-in-w-argument-parsing.patch

@@ -0,0 +1,32 @@
+From cc143bda6bcec20d073f42162f06dde8998551d4 Mon Sep 17 00:00:00 2001
+From: Maxim Petrov <mmrmaximuzz@gmail.com>
+Date: Tue, 15 Feb 2022 23:53:47 +0300
+Subject: [PATCH] lnstat: fix strdup leak in -w argument parsing
+
+'tmp' string is used for safe tokenizing, but it is not required after
+getting all the widths in -w option. As 'tmp' string is obtained by strdup
+call, the caller has to deallocate it to avoid memory leak.
+
+Signed-off-by: Maxim Petrov <mmrmaximuzz@gmail.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=cc143bda6bc
+---
+ misc/lnstat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/misc/lnstat.c b/misc/lnstat.c
+index 98904d45..c3293a8e 100644
+--- a/misc/lnstat.c
++++ b/misc/lnstat.c
+@@ -331,6 +331,7 @@ int main(int argc, char **argv)
+ 				for (i = 0; i < MAX_FIELDS; i++)
+ 					fp.params[i].print.width = len;
+ 			}
++			free(tmp);
+ 			break;
+ 		default:
+ 			usage(argv[0], 1);
+-- 
+2.23.0
+

backport-q_cake-allow-changing-to-diffserv3.patch

@@ -0,0 +1,49 @@
+From eb4206ecd0342ff92b1a85b7dae3d4fd1b5be1c6 Mon Sep 17 00:00:00 2001
+From: Kevin Bracey <kevin@bracey.fi>
+Date: Thu, 6 Jan 2022 13:16:04 +0200
+Subject: [PATCH] q_cake: allow changing to diffserv3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A diffserv3 option (enum value 0) was never sent to the kernel, so it
+was not possible to use "tc qdisc change" to select it.
+
+This also meant that were also relying on the kernel's default being
+diffserv3 when adding. If the default were to change, we wouldn't have
+been able to request diffserv3 explicitly.
+
+Signed-off-by: Kevin Bracey <kevin@bracey.fi>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=eb4206ecd03
+---
+ tc/q_cake.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tc/q_cake.c b/tc/q_cake.c
+index 4cfc1c00..c438b765 100644
+--- a/tc/q_cake.c
++++ b/tc/q_cake.c
+@@ -95,7 +95,7 @@ static int cake_parse_opt(struct qdisc_util *qu, int argc, char **argv,
+ 	bool overhead_override = false;
+ 	bool overhead_set = false;
+ 	unsigned int interval = 0;
+-	unsigned int diffserv = 0;
++	int diffserv = -1;
+ 	unsigned int memlimit = 0;
+ 	unsigned int fwmark = 0;
+ 	unsigned int target = 0;
+@@ -356,7 +356,7 @@ static int cake_parse_opt(struct qdisc_util *qu, int argc, char **argv,
+ 	if (bandwidth || unlimited)
+ 		addattr_l(n, 1024, TCA_CAKE_BASE_RATE64, &bandwidth,
+ 			  sizeof(bandwidth));
+-	if (diffserv)
++	if (diffserv != -1)
+ 		addattr_l(n, 1024, TCA_CAKE_DIFFSERV_MODE, &diffserv,
+ 			  sizeof(diffserv));
+ 	if (atm != -1)
+-- 
+2.23.0
+

backport-tc-em_u32-fix-offset-parsing.patch

@@ -0,0 +1,63 @@
+From b84fc3321c6adaf76f36cf7ef0e17389bdf31500 Mon Sep 17 00:00:00 2001
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Fri, 6 May 2022 22:11:46 +0200
+Subject: [PATCH] tc: em_u32: fix offset parsing
+
+tc u32 ematch offset parsing might fail even if nexthdr offset is
+aligned to 4. The issue can be reproduced with the following script:
+
+tc qdisc del dev dummy0 root
+tc qdisc add dev dummy0 root handle 1: htb r2q 1 default 1
+tc class add dev dummy0 parent 1:1 classid 1:108 htb quantum 1000000 \
+	rate 1.00mbit ceil 10.00mbit burst 6k
+
+while true; do
+if ! tc filter add dev dummy0 protocol all parent 1: prio 1 basic match \
+	"meta(vlan mask 0xfff eq 1)" and "u32(u32 0x20011002 0xffffffff \
+	at nexthdr+8)" flowid 1:108; then
+		exit 0
+fi
+done
+
+which we expect to produce an endless loop.
+With the current code, instead, this ends with:
+
+u32: invalid offset alignment, must be aligned to 4.
+... meta(vlan mask 0xfff eq 1) and >>u32(u32 0x20011002 0xffffffff at nexthdr+8)<< ...
+... u32(u32 0x20011002 0xffffffff at >>nexthdr+8<<)...
+Usage: u32(ALIGN VALUE MASK at [ nexthdr+ ] OFFSET)
+where: ALIGN  := { u8 | u16 | u32 }
+
+Example: u32(u16 0x1122 0xffff at nexthdr+4)
+Illegal "ematch"
+
+This is caused by memcpy copying into buf an unterminated string.
+
+Fix it using strncpy instead of memcpy.
+
+Fixes: commit 311b41454dc4 ("Add new extended match files.")
+Reported-by: Alfred Yang <alf.redyoung@gmail.com>
+Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=b84fc3321c6
+---
+ tc/em_u32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tc/em_u32.c b/tc/em_u32.c
+index bc284af4..ea2bf882 100644
+--- a/tc/em_u32.c
++++ b/tc/em_u32.c
+@@ -84,7 +84,7 @@ static int u32_parse_eopt(struct nlmsghdr *n, struct tcf_ematch_hdr *hdr,
+ 		char buf[a->len - nh_len + 1];
+ 
+ 		offmask = -1;
+-		memcpy(buf, a->data + nh_len, a->len - nh_len);
++		strncpy(buf, a->data + nh_len, a->len - nh_len + 1);
+ 		offset = strtoul(buf, NULL, 0);
+ 	} else if (!bstrcmp(a, "nexthdr+")) {
+ 		a = bstr_next(a);
+-- 
+2.23.0
+

backport-tc-flower-Fix-buffer-overflow-on-large-labels.patch

@@ -0,0 +1,38 @@
+From 73590d9573148804034a88ceb2f6b7ca1545561f Mon Sep 17 00:00:00 2001
+From: Paul Blakey <paulb@nvidia.com>
+Date: Sun, 5 Dec 2021 15:20:25 +0200
+Subject: [PATCH] tc: flower: Fix buffer overflow on large labels
+
+Buffer is 64bytes, but label printing can take 66bytes printing
+in hex, and will overflow when setting the string delimiter ('\0').
+
+Fix that by increasing the print buffer size.
+
+Example of overflowing ct_label:
+ct_label 11111111111111111111111111111111/11111111111111111111111111111111
+
+Fixes: 2fffb1c03056 ("tc: flower: Add matching on conntrack info")
+Signed-off-by: Paul Blakey <paulb@nvidia.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=73590d95731
+---
+ tc/f_flower.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tc/f_flower.c b/tc/f_flower.c
+index 7f78195f..6d70b92a 100644
+--- a/tc/f_flower.c
++++ b/tc/f_flower.c
+@@ -2195,7 +2195,7 @@ static void flower_print_ct_label(struct rtattr *attr,
+ 	const unsigned char *str;
+ 	bool print_mask = false;
+ 	int data_len, i;
+-	SPRINT_BUF(out);
++	char out[128];
+ 	char *p;
+ 
+ 	if (!attr)
+-- 
+2.23.0
+

backport-tc_util-Fix-parsing-action-control-with-space-and-sl.patch

@@ -0,0 +1,54 @@
+From 7f70eb2a8b2c451683c801b23b25f34071a8882f Mon Sep 17 00:00:00 2001
+From: Roi Dayan <roid@nvidia.com>
+Date: Thu, 3 Feb 2022 14:20:46 +0200
+Subject: [PATCH] tc_util: Fix parsing action control with space and slash
+
+For action police there is an conform-exceed action control
+which can be for example "jump 2 / pipe".
+The current parsing loop is doing one more iteration than necessary
+and results in ok var being 3.
+
+Example filter:
+
+tc filter add dev enp8s0f0_0 ingress protocol ip prio 2 flower \
+    verbose action police rate 100mbit burst 12m \
+    conform-exceed jump 1 / pipe mirred egress redirect dev enp8s0f0_1 action drop
+
+Before this change the command will fail.
+Trying to add another "pipe" before mirred as a workaround for the stopping the loop
+in ok var 3 resulting in result2 not being saved and wrong filter.
+
+... conform-exceed jump 1 / pipe pipe mirred ...
+
+Example dump of the action part:
+... action order 1:  police 0x1 rate 100Mbit burst 12Mb mtu 2Kb action jump 1 overhead 0b  ...
+
+Fix the behavior by removing redundant case 2 handling, either argc is over or breaking.
+
+Example dump of the action part with the fix:
+... action order 1:  police 0x1 rate 100Mbit burst 12Mb mtu 2Kb action jump 1/pipe overhead 0b ...
+
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Maor Dickman <maord@nvidia.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=7f70eb2a8b2
+---
+ tc/tc_util.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tc/tc_util.c b/tc/tc_util.c
+index 48065897..b82dbd5d 100644
+--- a/tc/tc_util.c
++++ b/tc/tc_util.c
+@@ -476,7 +476,6 @@ static int parse_action_control_slash_spaces(int *argc_p, char ***argv_p,
+ 			NEXT_ARG();
+ 			/* fall-through */
+ 		case 0: /* fall-through */
+-		case 2:
+ 			ret = parse_action_control(&argc, &argv,
+ 						   result_p, allow_num);
+ 			if (ret)
+-- 
+2.23.0
+

backport-tipc-fix-keylen-check.patch

@@ -0,0 +1,44 @@
+From 4429a6c9b484bc02dfab1e020a9b6f9f77370331 Mon Sep 17 00:00:00 2001
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Fri, 13 May 2022 11:52:30 +0200
+Subject: [PATCH] tipc: fix keylen check
+
+Key length check in str2key() is wrong for hex. Fix this using the
+proper hex key length.
+
+Fixes: 28ee49e5153b ("tipc: bail out if key is abnormally long")
+Suggested-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Conflict: NA
+Reference: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=4429a6c9b48
+---
+ tipc/misc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/tipc/misc.c b/tipc/misc.c
+index 909975d8..6175bf07 100644
+--- a/tipc/misc.c
++++ b/tipc/misc.c
+@@ -113,16 +113,15 @@ int str2key(char *str, struct tipc_aead_key *key)
+ 	    }
+ 	}
+ 
+-	if (len > TIPC_AEAD_KEYLEN_MAX)
++	key->keylen = ishex ? (len + 1) / 2 : len;
++	if (key->keylen > TIPC_AEAD_KEYLEN_MAX)
+ 		return -1;
+ 
+ 	/* Obtain key: */
+ 	if (!ishex) {
+-		key->keylen = len;
+ 		memcpy(key->key, str, len);
+ 	} else {
+ 		/* Convert hex string to key */
+-		key->keylen = (len + 1) / 2;
+ 		for (i = 0; i < key->keylen; i++) {
+ 			if (i == 0 && len % 2 != 0) {
+ 				if (sscanf(str, "%1hhx", &key->key[0]) != 1)
+-- 
+2.23.0
+

iproute.spec

@@ -1,6 +1,6 @@
 Name:		iproute
 Version:	5.15.0
-Release:	3
+Release:	4
 Summary:	Linux network configuration utilities
 License:	GPLv2+ and Public Domain
 URL:		https://kernel.org/pub/linux/utils/net/iproute2/
@@ -9,6 +9,19 @@ Source0:	https://mirrors.edge.kernel.org/pub/linux/utils/net/iproute2/iproute2-%
 Patch1:         bugfix-iproute2-3.10.0-fix-maddr-show.patch         
 Patch2:         bugfix-iproute2-change-proc-to-ipnetnsproc-which-is-private.patch
 
+Patch6000:      backport-devlink-fix-devlink-health-dump-command-without-arg.patch
+Patch6001:      backport-ip-Fix-size_columns-for-very-large-values.patch
+Patch6002:      backport-ip-Fix-size_columns-invocation-that-passes-a-32-bit-.patch
+Patch6003:      backport-l2tp-fix-typo-in-AF_INET6-checksum-JSON-print.patch
+Patch6004:      backport-libnetlink-fix-socket-leak-in-rtnl_open_byproto.patch
+Patch6005:      backport-lnstat-fix-buffer-overflow-in-header-output.patch
+Patch6006:      backport-lnstat-fix-strdup-leak-in-w-argument-parsing.patch
+Patch6007:      backport-q_cake-allow-changing-to-diffserv3.patch
+Patch6008:      backport-tc-em_u32-fix-offset-parsing.patch
+Patch6009:      backport-tc-flower-Fix-buffer-overflow-on-large-labels.patch
+Patch6010:      backport-tc_util-Fix-parsing-action-control-with-space-and-sl.patch
+Patch6011:      backport-tipc-fix-keylen-check.patch
+
 BuildRequires:	gcc bison elfutils-libelf-devel flex iptables-devel
 BuildRequires:  libmnl-devel libselinux-devel pkgconfig libbpf-devel
 Requires:       libbpf psmisc
@@ -76,6 +89,23 @@ install -m 0644 lib/libnetlink.a %{buildroot}%{_libdir}/libnetlink.a
 %{_mandir}/*
 
 %changelog
+* Fri Aug 26 2022 sunsuwan<sunsuwan3@huawei.com> - 5.15.0-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:lnstat: fix buffer overflow in header output 
+       libnetlink: fix socket leak in rtnl_open_byptoyo
+       lnstat: fix strdup leak in w argument parsing
+       q_cake: allow fix buffer overflow on large labels
+       tc flower: fix buffer overflow on large labels
+       tc_tuil: fix parsing action control with space and sl
+       tipc: fix keylen check
+       fix devlink health dump command without arg
+       tc: em_u32: fix offset parsing
+       l2tp fix typo in AF_INET6 checksum JSON print
+       ip: Fix size_columns() for very large values
+       ip: Fix size_columns() invocation that passes a 32-bit quantity
+
 * Tue Mar 01 2022 jiangheng<jiangheng12@huawei.com> - 5.15.0-3
 - Type:bugfix
 - ID:NA