--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Mon, 15 Jul 2019 16:41:50 -0500
+Subject: bnx2x: Prevent load reordering in tx completion processing
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+[ Upstream commit ea811b795df24644a8eb760b493c43fba4450677 ]
+
+This patch fixes an issue seen on Power systems with bnx2x which results
+in the skb is NULL WARN_ON in bnx2x_free_tx_pkt firing due to the skb
+pointer getting loaded in bnx2x_free_tx_pkt prior to the hw_cons
+load in bnx2x_tx_int. Adding a read memory barrier resolves the issue.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -288,6 +288,9 @@ int bnx2x_tx_int(struct bnx2x *bp, struc
+ hw_cons = le16_to_cpu(*txdata->tx_cons_sb);
+ sw_cons = txdata->tx_pkt_cons;
+
++ /* Ensure subsequent loads occur after hw_cons */
++ smp_rmb();
++
+ while (sw_cons != hw_cons) {
+ u16 pkt_cons;
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 1 Jul 2019 20:40:24 -0700
+Subject: bonding: validate ip header before check IPPROTO_IGMP
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c ]
+
+bond_xmit_roundrobin() checks for IGMP packets but it parses
+the IP header even before checking skb->protocol.
+
+We should validate the IP header with pskb_may_pull() before
+using iph->protocol.
+
+Reported-and-tested-by: syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com
+Fixes: a2fd940f4cff ("bonding: fix broken multicast with round-robin mode")
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 37 +++++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3714,8 +3714,8 @@ static u32 bond_rr_gen_slave_id(struct b
+ static int bond_xmit_roundrobin(struct sk_buff *skb, struct net_device *bond_dev)
+ {
+ struct bonding *bond = netdev_priv(bond_dev);
+- struct iphdr *iph = ip_hdr(skb);
+ struct slave *slave;
++ int slave_cnt;
+ u32 slave_id;
+
+ /* Start with the curr_active_slave that joined the bond as the
+@@ -3724,23 +3724,32 @@ static int bond_xmit_roundrobin(struct s
+ * send the join/membership reports. The curr_active_slave found
+ * will send all of this type of traffic.
+ */
+- if (iph->protocol == IPPROTO_IGMP && skb->protocol == htons(ETH_P_IP)) {
+- slave = rcu_dereference(bond->curr_active_slave);
+- if (slave)
+- bond_dev_queue_xmit(bond, skb, slave->dev);
+- else
+- bond_xmit_slave_id(bond, skb, 0);
+- } else {
+- int slave_cnt = ACCESS_ONCE(bond->slave_cnt);
++ if (skb->protocol == htons(ETH_P_IP)) {
++ int noff = skb_network_offset(skb);
++ struct iphdr *iph;
++
++ if (unlikely(!pskb_may_pull(skb, noff + sizeof(*iph))))
++ goto non_igmp;
+
+- if (likely(slave_cnt)) {
+- slave_id = bond_rr_gen_slave_id(bond);
+- bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);
+- } else {
+- bond_tx_drop(bond_dev, skb);
++ iph = ip_hdr(skb);
++ if (iph->protocol == IPPROTO_IGMP) {
++ slave = rcu_dereference(bond->curr_active_slave);
++ if (slave)
++ bond_dev_queue_xmit(bond, skb, slave->dev);
++ else
++ bond_xmit_slave_id(bond, skb, 0);
++ return NETDEV_TX_OK;
+ }
+ }
+
++non_igmp:
++ slave_cnt = ACCESS_ONCE(bond->slave_cnt);
++ if (likely(slave_cnt)) {
++ slave_id = bond_rr_gen_slave_id(bond);
++ bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);
++ } else {
++ bond_tx_drop(bond_dev, skb);
++ }
+ return NETDEV_TX_OK;
+ }
+
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 15 Jul 2019 14:10:17 +0900
+Subject: caif-hsi: fix possible deadlock in cfhsi_exit_module()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit fdd258d49e88a9e0b49ef04a506a796f1c768a8e ]
+
+cfhsi_exit_module() calls unregister_netdev() under rtnl_lock().
+but unregister_netdev() internally calls rtnl_lock().
+So deadlock would occur.
+
+Fixes: c41254006377 ("caif-hsi: Add rtnl support")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/caif/caif_hsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/caif/caif_hsi.c
++++ b/drivers/net/caif/caif_hsi.c
+@@ -1467,7 +1467,7 @@ static void __exit cfhsi_exit_module(voi
+ rtnl_lock();
+ list_for_each_safe(list_node, n, &cfhsi_list) {
+ cfhsi = list_entry(list_node, struct cfhsi, list);
+- unregister_netdev(cfhsi->ndev);
++ unregister_netdevice(cfhsi->ndev);
+ }
+ rtnl_unlock();
+ }
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Matteo Croce <mcroce@redhat.com>
+Date: Mon, 1 Jul 2019 19:01:55 +0200
+Subject: ipv4: don't set IPv6 only flags to IPv4 addresses
+
+From: Matteo Croce <mcroce@redhat.com>
+
+[ Upstream commit 2e60546368165c2449564d71f6005dda9205b5fb ]
+
+Avoid the situation where an IPV6 only flag is applied to an IPv4 address:
+
+ # ip addr add 192.0.2.1/24 dev dummy0 nodad home mngtmpaddr noprefixroute
+ # ip -4 addr show dev dummy0
+ 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
+ inet 192.0.2.1/24 scope global noprefixroute dummy0
+ valid_lft forever preferred_lft forever
+
+Or worse, by sending a malicious netlink command:
+
+ # ip -4 addr show dev dummy0
+ 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
+ inet 192.0.2.1/24 scope global nodad optimistic dadfailed home tentative mngtmpaddr noprefixroute stable-privacy dummy0
+ valid_lft forever preferred_lft forever
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/devinet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -67,6 +67,11 @@
+
+ #include "fib_lookup.h"
+
++#define IPV6ONLY_FLAGS \
++ (IFA_F_NODAD | IFA_F_OPTIMISTIC | IFA_F_DADFAILED | \
++ IFA_F_HOMEADDRESS | IFA_F_TENTATIVE | \
++ IFA_F_MANAGETEMPADDR | IFA_F_STABLE_PRIVACY)
++
+ static struct ipv4_devconf ipv4_devconf = {
+ .data = {
+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
+@@ -453,6 +458,9 @@ static int __inet_insert_ifa(struct in_i
+ ifa->ifa_flags &= ~IFA_F_SECONDARY;
+ last_primary = &in_dev->ifa_list;
+
++ /* Don't set IPv6 only flags to IPv4 addresses */
++ ifa->ifa_flags &= ~IPV6ONLY_FLAGS;
++
+ for (ifap = &in_dev->ifa_list; (ifa1 = *ifap) != NULL;
+ ifap = &ifa1->ifa_next) {
+ if (!(ifa1->ifa_flags & IFA_F_SECONDARY) &&
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Justin Chen <justinpopo6@gmail.com>
+Date: Wed, 17 Jul 2019 14:58:53 -0700
+Subject: net: bcmgenet: use promisc for unsupported filters
+
+From: Justin Chen <justinpopo6@gmail.com>
+
+[ Upstream commit 35cbef9863640f06107144687bd13151bc2e8ce3 ]
+
+Currently we silently ignore filters if we cannot meet the filter
+requirements. This will lead to the MAC dropping packets that are
+expected to pass. A better solution would be to set the NIC to promisc
+mode when the required filters cannot be met.
+
+Also correct the number of MDF filters supported. It should be 17,
+not 16.
+
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 57 +++++++++++--------------
+ 1 file changed, 26 insertions(+), 31 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3090,39 +3090,42 @@ static void bcmgenet_timeout(struct net_
+ netif_tx_wake_all_queues(dev);
+ }
+
+-#define MAX_MC_COUNT 16
++#define MAX_MDF_FILTER 17
+
+ static inline void bcmgenet_set_mdf_addr(struct bcmgenet_priv *priv,
+ unsigned char *addr,
+- int *i,
+- int *mc)
++ int *i)
+ {
+- u32 reg;
+-
+ bcmgenet_umac_writel(priv, addr[0] << 8 | addr[1],
+ UMAC_MDF_ADDR + (*i * 4));
+ bcmgenet_umac_writel(priv, addr[2] << 24 | addr[3] << 16 |
+ addr[4] << 8 | addr[5],
+ UMAC_MDF_ADDR + ((*i + 1) * 4));
+- reg = bcmgenet_umac_readl(priv, UMAC_MDF_CTRL);
+- reg |= (1 << (MAX_MC_COUNT - *mc));
+- bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL);
+ *i += 2;
+- (*mc)++;
+ }
+
+ static void bcmgenet_set_rx_mode(struct net_device *dev)
+ {
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct netdev_hw_addr *ha;
+- int i, mc;
++ int i, nfilter;
+ u32 reg;
+
+ netif_dbg(priv, hw, dev, "%s: %08X\n", __func__, dev->flags);
+
+- /* Promiscuous mode */
++ /* Number of filters needed */
++ nfilter = netdev_uc_count(dev) + netdev_mc_count(dev) + 2;
++
++ /*
++ * Turn on promicuous mode for three scenarios
++ * 1. IFF_PROMISC flag is set
++ * 2. IFF_ALLMULTI flag is set
++ * 3. The number of filters needed exceeds the number filters
++ * supported by the hardware.
++ */
+ reg = bcmgenet_umac_readl(priv, UMAC_CMD);
+- if (dev->flags & IFF_PROMISC) {
++ if ((dev->flags & (IFF_PROMISC | IFF_ALLMULTI)) ||
++ (nfilter > MAX_MDF_FILTER)) {
+ reg |= CMD_PROMISC;
+ bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+ bcmgenet_umac_writel(priv, 0, UMAC_MDF_CTRL);
+@@ -3132,32 +3135,24 @@ static void bcmgenet_set_rx_mode(struct
+ bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+ }
+
+- /* UniMac doesn't support ALLMULTI */
+- if (dev->flags & IFF_ALLMULTI) {
+- netdev_warn(dev, "ALLMULTI is not supported\n");
+- return;
+- }
+-
+ /* update MDF filter */
+ i = 0;
+- mc = 0;
+ /* Broadcast */
+- bcmgenet_set_mdf_addr(priv, dev->broadcast, &i, &mc);
++ bcmgenet_set_mdf_addr(priv, dev->broadcast, &i);
+ /* my own address.*/
+- bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i, &mc);
+- /* Unicast list*/
+- if (netdev_uc_count(dev) > (MAX_MC_COUNT - mc))
+- return;
++ bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i);
+
+- if (!netdev_uc_empty(dev))
+- netdev_for_each_uc_addr(ha, dev)
+- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc);
+- /* Multicast */
+- if (netdev_mc_empty(dev) || netdev_mc_count(dev) >= (MAX_MC_COUNT - mc))
+- return;
++ /* Unicast */
++ netdev_for_each_uc_addr(ha, dev)
++ bcmgenet_set_mdf_addr(priv, ha->addr, &i);
+
++ /* Multicast */
+ netdev_for_each_mc_addr(ha, dev)
+- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc);
++ bcmgenet_set_mdf_addr(priv, ha->addr, &i);
++
++ /* Enable filters */
++ reg = GENMASK(MAX_MDF_FILTER - 1, MAX_MDF_FILTER - nfilter);
++ bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL);
+ }
+
+ /* Set the hardware MAC address. */
--- /dev/null
+From foo@baz Fri 26 Jul 2019 11:17:03 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:19 +0300
+Subject: net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 3b26a5d03d35d8f732d75951218983c0f7f68dff ]
+
+We get a pointer to the ipv6 hdr in br_ip6_multicast_query but we may
+call pskb_may_pull afterwards and end up using a stale pointer.
+So use the header directly, it's just 1 place where it's needed.
+
+Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Tested-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1353,7 +1353,6 @@ static int br_ip6_multicast_query(struct
+ struct sk_buff *skb,
+ u16 vid)
+ {
+- const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+ struct mld_msg *mld;
+ struct net_bridge_mdb_entry *mp;
+ struct mld2_query *mld2q;
+@@ -1397,7 +1396,7 @@ static int br_ip6_multicast_query(struct
+
+ if (is_general_query) {
+ saddr.proto = htons(ETH_P_IPV6);
+- saddr.u.ip6 = ip6h->saddr;
++ saddr.u.ip6 = ipv6_hdr(skb)->saddr;
+
+ br_multicast_query_received(br, port, &br->ip6_other_query,
+ &saddr, max_delay);
--- /dev/null
+From foo@baz Fri 26 Jul 2019 11:17:03 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:18 +0300
+Subject: net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit e57f61858b7cf478ed6fa23ed4b3876b1c9625c4 ]
+
+We take a pointer to grec prior to calling pskb_may_pull and use it
+afterwards to get nsrcs so record nsrcs before the pull when handling
+igmp3 and we get a pointer to nsrcs and call pskb_may_pull when handling
+mld2 which again could lead to reading 2 bytes out-of-bounds.
+
+ ==================================================================
+ BUG: KASAN: use-after-free in br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ Read of size 2 at addr ffff8880421302b4 by task ksoftirqd/1/16
+
+ CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G OE 5.2.0-rc6+ #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+ Call Trace:
+ dump_stack+0x71/0xab
+ print_address_description+0x6a/0x280
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ __kasan_report+0x152/0x1aa
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ kasan_report+0xe/0x20
+ br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ ? br_multicast_disable_port+0x150/0x150 [bridge]
+ ? ktime_get_with_offset+0xb4/0x150
+ ? __kasan_kmalloc.constprop.6+0xa6/0xf0
+ ? __netif_receive_skb+0x1b0/0x1b0
+ ? br_fdb_update+0x10e/0x6e0 [bridge]
+ ? br_handle_frame_finish+0x3c6/0x11d0 [bridge]
+ br_handle_frame_finish+0x3c6/0x11d0 [bridge]
+ ? br_pass_frame_up+0x3a0/0x3a0 [bridge]
+ ? virtnet_probe+0x1c80/0x1c80 [virtio_net]
+ br_handle_frame+0x731/0xd90 [bridge]
+ ? select_idle_sibling+0x25/0x7d0
+ ? br_handle_frame_finish+0x11d0/0x11d0 [bridge]
+ __netif_receive_skb_core+0xced/0x2d70
+ ? virtqueue_get_buf_ctx+0x230/0x1130 [virtio_ring]
+ ? do_xdp_generic+0x20/0x20
+ ? virtqueue_napi_complete+0x39/0x70 [virtio_net]
+ ? virtnet_poll+0x94d/0xc78 [virtio_net]
+ ? receive_buf+0x5120/0x5120 [virtio_net]
+ ? __netif_receive_skb_one_core+0x97/0x1d0
+ __netif_receive_skb_one_core+0x97/0x1d0
+ ? __netif_receive_skb_core+0x2d70/0x2d70
+ ? _raw_write_trylock+0x100/0x100
+ ? __queue_work+0x41e/0xbe0
+ process_backlog+0x19c/0x650
+ ? _raw_read_lock_irq+0x40/0x40
+ net_rx_action+0x71e/0xbc0
+ ? __switch_to_asm+0x40/0x70
+ ? napi_complete_done+0x360/0x360
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ ? __schedule+0x85e/0x14d0
+ __do_softirq+0x1db/0x5f9
+ ? takeover_tasklets+0x5f0/0x5f0
+ run_ksoftirqd+0x26/0x40
+ smpboot_thread_fn+0x443/0x680
+ ? sort_range+0x20/0x20
+ ? schedule+0x94/0x210
+ ? __kthread_parkme+0x78/0xf0
+ ? sort_range+0x20/0x20
+ kthread+0x2ae/0x3a0
+ ? kthread_create_worker_on_cpu+0xc0/0xc0
+ ret_from_fork+0x35/0x40
+
+ The buggy address belongs to the page:
+ page:ffffea0001084c00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
+ flags: 0xffffc000000000()
+ raw: 00ffffc000000000 ffffea0000cfca08 ffffea0001098608 0000000000000000
+ raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888042130180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888042130200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ > ffff888042130280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff888042130300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888042130380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ==================================================================
+ Disabling lock debugging due to kernel taint
+
+Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave")
+Reported-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Tested-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1011,6 +1011,7 @@ static int br_ip4_multicast_igmp3_report
+ int type;
+ int err = 0;
+ __be32 group;
++ u16 nsrcs;
+
+ ih = igmpv3_report_hdr(skb);
+ num = ntohs(ih->ngrec);
+@@ -1024,8 +1025,9 @@ static int br_ip4_multicast_igmp3_report
+ grec = (void *)(skb->data + len - sizeof(*grec));
+ group = grec->grec_mca;
+ type = grec->grec_type;
++ nsrcs = ntohs(grec->grec_nsrcs);
+
+- len += ntohs(grec->grec_nsrcs) * 4;
++ len += nsrcs * 4;
+ if (!pskb_may_pull(skb, len))
+ return -EINVAL;
+
+@@ -1045,7 +1047,7 @@ static int br_ip4_multicast_igmp3_report
+
+ if ((type == IGMPV3_CHANGE_TO_INCLUDE ||
+ type == IGMPV3_MODE_IS_INCLUDE) &&
+- ntohs(grec->grec_nsrcs) == 0) {
++ nsrcs == 0) {
+ br_ip4_multicast_leave_group(br, port, group, vid);
+ } else {
+ err = br_ip4_multicast_add_group(br, port, group, vid);
+@@ -1078,23 +1080,26 @@ static int br_ip6_multicast_mld2_report(
+ len = skb_transport_offset(skb) + sizeof(*icmp6h);
+
+ for (i = 0; i < num; i++) {
+- __be16 *nsrcs, _nsrcs;
++ __be16 *_nsrcs, __nsrcs;
++ u16 nsrcs;
+
+- nsrcs = skb_header_pointer(skb,
+- len + offsetof(struct mld2_grec,
+- grec_nsrcs),
+- sizeof(_nsrcs), &_nsrcs);
+- if (!nsrcs)
++ _nsrcs = skb_header_pointer(skb,
++ len + offsetof(struct mld2_grec,
++ grec_nsrcs),
++ sizeof(__nsrcs), &__nsrcs);
++ if (!_nsrcs)
+ return -EINVAL;
+
++ nsrcs = ntohs(*_nsrcs);
++
+ if (!pskb_may_pull(skb,
+ len + sizeof(*grec) +
+- sizeof(struct in6_addr) * ntohs(*nsrcs)))
++ sizeof(struct in6_addr) * nsrcs))
+ return -EINVAL;
+
+ grec = (struct mld2_grec *)(skb->data + len);
+ len += sizeof(*grec) +
+- sizeof(struct in6_addr) * ntohs(*nsrcs);
++ sizeof(struct in6_addr) * nsrcs;
+
+ /* We treat these as MLDv1 reports for now. */
+ switch (grec->grec_type) {
+@@ -1112,7 +1117,7 @@ static int br_ip6_multicast_mld2_report(
+
+ if ((grec->grec_type == MLD2_CHANGE_TO_INCLUDE ||
+ grec->grec_type == MLD2_MODE_IS_INCLUDE) &&
+- ntohs(*nsrcs) == 0) {
++ nsrcs == 0) {
+ br_ip6_multicast_leave_group(br, port, &grec->grec_mca,
+ vid);
+ } else {
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:21 +0300
+Subject: net: bridge: stp: don't cache eth dest pointer before skb pull
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 2446a68ae6a8cee6d480e2f5b52f5007c7c41312 ]
+
+Don't cache eth dest pointer before calling pskb_may_pull.
+
+Fixes: cf0f02d04a83 ("[BRIDGE]: use llc for receiving STP packets")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_stp_bpdu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -147,7 +147,6 @@ void br_send_tcn_bpdu(struct net_bridge_
+ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb,
+ struct net_device *dev)
+ {
+- const unsigned char *dest = eth_hdr(skb)->h_dest;
+ struct net_bridge_port *p;
+ struct net_bridge *br;
+ const unsigned char *buf;
+@@ -176,7 +175,7 @@ void br_stp_rcv(const struct stp_proto *
+ if (p->state == BR_STATE_DISABLED)
+ goto out;
+
+- if (!ether_addr_equal(dest, br->group_addr))
++ if (!ether_addr_equal(eth_hdr(skb)->h_dest, br->group_addr))
+ goto out;
+
+ if (p->flags & BR_BPDU_GUARD) {
--- /dev/null
+From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 26 Jun 2019 20:40:45 +0200
+Subject: net: make skb_dst_force return true when dst is refcounted
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit b60a77386b1d4868f72f6353d35dabe5fbe981f2 ]
+
+netfilter did not expect that skb_dst_force() can cause skb to lose its
+dst entry.
+
+I got a bug report with a skb->dst NULL dereference in netfilter
+output path. The backtrace contains nf_reinject(), so the dst might have
+been cleared when skb got queued to userspace.
+
+Other users were fixed via
+if (skb_dst(skb)) {
+ skb_dst_force(skb);
+ if (!skb_dst(skb))
+ goto handle_err;
+}
+
+But I think its preferable to make the 'dst might be cleared' part
+of the function explicit.
+
+In netfilter case, skb with a null dst is expected when queueing in
+prerouting hook, so drop skb for the other hooks.
+
+v2:
+ v1 of this patch returned true in case skb had no dst entry.
+ Eric said:
+ Say if we have two skb_dst_force() calls for some reason
+ on the same skb, only the first one will return false.
+
+ This now returns false even when skb had no dst, as per Erics
+ suggestion, so callers might need to check skb_dst() first before
+ skb_dst_force().
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst.h | 5 ++++-
+ net/netfilter/nf_queue.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -318,14 +318,17 @@ static inline void skb_dst_copy(struct s
+ * @skb: buffer
+ *
+ * If dst is not yet refcounted, let's do it
++ * Returns true if dst is refcounted.
+ */
+-static inline void skb_dst_force(struct sk_buff *skb)
++static inline bool skb_dst_force(struct sk_buff *skb)
+ {
+ if (skb_dst_is_noref(skb)) {
+ WARN_ON(!rcu_read_lock_held());
+ skb->_skb_refdst &= ~SKB_DST_NOREF;
+ dst_clone(skb_dst(skb));
+ }
++
++ return skb->_skb_refdst != 0UL;
+ }
+
+ /**
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -139,6 +139,11 @@ int nf_queue(struct sk_buff *skb,
+ goto err;
+ }
+
++ if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) {
++ status = -ENETDOWN;
++ goto err;
++ }
++
+ *entry = (struct nf_queue_entry) {
+ .skb = skb,
+ .elem = elem,
+@@ -147,7 +152,6 @@ int nf_queue(struct sk_buff *skb,
+ };
+
+ nf_queue_entry_get_refs(entry);
+- skb_dst_force(skb);
+ afinfo->saveroute(skb, entry);
+ status = qh->outfn(entry, queuenum);
+
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Sun, 14 Jul 2019 23:36:11 +0200
+Subject: net: neigh: fix multiple neigh timer scheduling
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 071c37983d99da07797294ea78e9da1a6e287144 ]
+
+Neigh timer can be scheduled multiple times from userspace adding
+multiple neigh entries and forcing the neigh timer scheduling passing
+NTF_USE in the netlink requests.
+This will result in a refcount leak and in the following dump stack:
+
+[ 32.465295] NEIGH: BUG, double timer add, state is 8
+[ 32.465308] CPU: 0 PID: 416 Comm: double_timer_ad Not tainted 5.2.0+ #65
+[ 32.465311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
+[ 32.465313] Call Trace:
+[ 32.465318] dump_stack+0x7c/0xc0
+[ 32.465323] __neigh_event_send+0x20c/0x880
+[ 32.465326] ? ___neigh_create+0x846/0xfb0
+[ 32.465329] ? neigh_lookup+0x2a9/0x410
+[ 32.465332] ? neightbl_fill_info.constprop.0+0x800/0x800
+[ 32.465334] neigh_add+0x4f8/0x5e0
+[ 32.465337] ? neigh_xmit+0x620/0x620
+[ 32.465341] ? find_held_lock+0x85/0xa0
+[ 32.465345] rtnetlink_rcv_msg+0x204/0x570
+[ 32.465348] ? rtnl_dellink+0x450/0x450
+[ 32.465351] ? mark_held_locks+0x90/0x90
+[ 32.465354] ? match_held_lock+0x1b/0x230
+[ 32.465357] netlink_rcv_skb+0xc4/0x1d0
+[ 32.465360] ? rtnl_dellink+0x450/0x450
+[ 32.465363] ? netlink_ack+0x420/0x420
+[ 32.465366] ? netlink_deliver_tap+0x115/0x560
+[ 32.465369] ? __alloc_skb+0xc9/0x2f0
+[ 32.465372] netlink_unicast+0x270/0x330
+[ 32.465375] ? netlink_attachskb+0x2f0/0x2f0
+[ 32.465378] netlink_sendmsg+0x34f/0x5a0
+[ 32.465381] ? netlink_unicast+0x330/0x330
+[ 32.465385] ? move_addr_to_kernel.part.0+0x20/0x20
+[ 32.465388] ? netlink_unicast+0x330/0x330
+[ 32.465391] sock_sendmsg+0x91/0xa0
+[ 32.465394] ___sys_sendmsg+0x407/0x480
+[ 32.465397] ? copy_msghdr_from_user+0x200/0x200
+[ 32.465401] ? _raw_spin_unlock_irqrestore+0x37/0x40
+[ 32.465404] ? lockdep_hardirqs_on+0x17d/0x250
+[ 32.465407] ? __wake_up_common_lock+0xcb/0x110
+[ 32.465410] ? __wake_up_common+0x230/0x230
+[ 32.465413] ? netlink_bind+0x3e1/0x490
+[ 32.465416] ? netlink_setsockopt+0x540/0x540
+[ 32.465420] ? __fget_light+0x9c/0xf0
+[ 32.465423] ? sockfd_lookup_light+0x8c/0xb0
+[ 32.465426] __sys_sendmsg+0xa5/0x110
+[ 32.465429] ? __ia32_sys_shutdown+0x30/0x30
+[ 32.465432] ? __fd_install+0xe1/0x2c0
+[ 32.465435] ? lockdep_hardirqs_off+0xb5/0x100
+[ 32.465438] ? mark_held_locks+0x24/0x90
+[ 32.465441] ? do_syscall_64+0xf/0x270
+[ 32.465444] do_syscall_64+0x63/0x270
+[ 32.465448] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fix the issue unscheduling neigh_timer if selected entry is in 'IN_TIMER'
+receiving a netlink request with NTF_USE flag set
+
+Reported-by: Marek Majkowski <marek@cloudflare.com>
+Fixes: 0c5c2d308906 ("neigh: Allow for user space users of the neighbour table")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -982,6 +982,7 @@ int __neigh_event_send(struct neighbour
+
+ atomic_set(&neigh->probes,
+ NEIGH_VAR(neigh->parms, UCAST_PROBES));
++ neigh_del_timer(neigh);
+ neigh->nud_state = NUD_INCOMPLETE;
+ neigh->updated = now;
+ next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME),
+@@ -998,6 +999,7 @@ int __neigh_event_send(struct neighbour
+ }
+ } else if (neigh->nud_state & NUD_STALE) {
+ neigh_dbg(2, "neigh %p is delayed\n", neigh);
++ neigh_del_timer(neigh);
+ neigh->nud_state = NUD_DELAY;
+ neigh->updated = jiffies;
+ neigh_add_timer(neigh, jiffies +
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 27 Jun 2019 14:30:58 -0700
+Subject: netrom: fix a memory leak in nr_rx_frame()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit c8c8218ec5af5d2598381883acbefbf604e56b5e ]
+
+When the skb is associated with a new sock, just assigning
+it to skb->sk is not sufficient, we have to set its destructor
+to free the sock properly too.
+
+Reported-by: syzbot+d6636a36d3c34bd88938@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -870,7 +870,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ unsigned short frametype, flags, window, timeout;
+ int ret;
+
+- skb->sk = NULL; /* Initially we don't know who it's for */
++ skb_orphan(skb);
+
+ /*
+ * skb->data points to the netrom frame start
+@@ -969,6 +969,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ window = skb->data[20];
+
+ skb->sk = make;
++ skb->destructor = sock_efree;
+ make->sk_state = TCP_ESTABLISHED;
+
+ /* Fill in his circuit details */
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 22 Jul 2019 20:41:22 -0700
+Subject: netrom: hold sock when setting skb->destructor
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 4638faac032756f7eab5524be7be56bee77e426b ]
+
+sock_efree() releases the sock refcnt, if we don't hold this refcnt
+when setting skb->destructor to it, the refcnt would not be balanced.
+This leads to several bug reports from syzbot.
+
+I have checked other users of sock_efree(), all of them hold the
+sock refcnt.
+
+Fixes: c8c8218ec5af ("netrom: fix a memory leak in nr_rx_frame()")
+Reported-and-tested-by: <syzbot+622bdabb128acc33427d@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+6eaef7158b19e3fec3a0@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+9399c158fcc09b21d0d2@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+a34e5f3d0300163f0c87@syzkaller.appspotmail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -968,6 +968,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+
+ window = skb->data[20];
+
++ sock_hold(make);
+ skb->sk = make;
+ skb->destructor = sock_efree;
+ make->sk_state = TCP_ESTABLISHED;
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Yang Wei <albin_yang@163.com>
+Date: Mon, 8 Jul 2019 22:57:39 +0800
+Subject: nfc: fix potential illegal memory access
+
+From: Yang Wei <albin_yang@163.com>
+
+[ Upstream commit dd006fc434e107ef90f7de0db9907cbc1c521645 ]
+
+The frags_q is not properly initialized, it may result in illegal memory
+access when conn_info is NULL.
+The "goto free_exit" should be replaced by "goto exit".
+
+Signed-off-by: Yang Wei <albin_yang@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/nci/data.c
++++ b/net/nfc/nci/data.c
+@@ -119,7 +119,7 @@ static int nci_queue_tx_data_frags(struc
+ conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
+ if (!conn_info) {
+ rc = -EPROTO;
+- goto free_exit;
++ goto exit;
+ }
+
+ __skb_queue_head_init(&frags_q);
bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch
usb-handle-usb3-remote-wakeup-for-lpm-enabled-devices-correctly.patch
dm-bufio-fix-deadlock-with-loop-device.patch
+bnx2x-prevent-load-reordering-in-tx-completion-processing.patch
+caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch
+ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch
+net-bcmgenet-use-promisc-for-unsupported-filters.patch
+net-neigh-fix-multiple-neigh-timer-scheduling.patch
+nfc-fix-potential-illegal-memory-access.patch
+sky2-disable-msi-on-asus-p6t.patch
+netrom-fix-a-memory-leak-in-nr_rx_frame.patch
+netrom-hold-sock-when-setting-skb-destructor.patch
+tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch
+net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch
+bonding-validate-ip-header-before-check-ipproto_igmp.patch
+net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch
+net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch
+net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch
--- /dev/null
+From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 23 Jul 2019 17:15:25 +0200
+Subject: sky2: Disable MSI on ASUS P6T
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit a261e3797506bd561700be643fe1a85bf81e9661 ]
+
+The onboard sky2 NIC on ASUS P6T WS PRO doesn't work after PM resume
+due to the infamous IRQ problem. Disabling MSI works around it, so
+let's add it to the blacklist.
+
+Unfortunately the BIOS on the machine doesn't fill the standard
+DMI_SYS_* entry, so we pick up DMI_BOARD_* entries instead.
+
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1142496
+Reported-and-tested-by: Marcus Seyfarth <m.seyfarth@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -4939,6 +4939,13 @@ static const struct dmi_system_id msi_bl
+ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"),
+ },
+ },
++ {
++ .ident = "ASUS P6T",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "P6T"),
++ },
++ },
+ {}
+ };
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST
+From: Christoph Paasch <cpaasch@apple.com>
+Date: Sat, 6 Jul 2019 16:13:07 -0700
+Subject: tcp: Reset bytes_acked and bytes_received when disconnecting
+
+From: Christoph Paasch <cpaasch@apple.com>
+
+[ Upstream commit e858faf556d4e14c750ba1e8852783c6f9520a0e ]
+
+If an app is playing tricks to reuse a socket via tcp_disconnect(),
+bytes_acked/received needs to be reset to 0. Otherwise tcp_info will
+report the sum of the current and the old connection..
+
+Cc: Eric Dumazet <edumazet@google.com>
+Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info")
+Fixes: bdd1f9edacb5 ("tcp: add tcpi_bytes_received to tcp_info")
+Signed-off-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2272,6 +2272,8 @@ int tcp_disconnect(struct sock *sk, int
+ dst_release(sk->sk_rx_dst);
+ sk->sk_rx_dst = NULL;
+ tcp_saved_syn_free(tp);
++ tp->bytes_acked = 0;
++ tp->bytes_received = 0;
+
+ WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
