--- /dev/null
+From foo@baz Thu Aug 24 17:49:47 PDT 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 16 Aug 2017 07:03:15 -0700
+Subject: dccp: defer ccid_hc_tx_delete() at dismantle time
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 120e9dabaf551c6dc03d3a10a1f026376cb1811c ]
+
+syszkaller team reported another problem in DCCP [1]
+
+Problem here is that the structure holding RTO timer
+(ccid2_hc_tx_rto_expire() handler) is freed too soon.
+
+We can not use del_timer_sync() to cancel the timer
+since this timer wants to grab socket lock (that would risk a dead lock)
+
+Solution is to defer the freeing of memory when all references to
+the socket were released. Socket timers do own a reference, so this
+should fix the issue.
+
+[1]
+
+==================================================================
+BUG: KASAN: use-after-free in ccid2_hc_tx_rto_expire+0x51c/0x5c0 net/dccp/ccids/ccid2.c:144
+Read of size 4 at addr ffff8801d2660540 by task kworker/u4:7/3365
+
+CPU: 1 PID: 3365 Comm: kworker/u4:7 Not tainted 4.13.0-rc4+ #3
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events_unbound call_usermodehelper_exec_work
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:52
+ print_address_description+0x73/0x250 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x24e/0x340 mm/kasan/report.c:409
+ __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
+ ccid2_hc_tx_rto_expire+0x51c/0x5c0 net/dccp/ccids/ccid2.c:144
+ call_timer_fn+0x233/0x830 kernel/time/timer.c:1268
+ expire_timers kernel/time/timer.c:1307 [inline]
+ __run_timers+0x7fd/0xb90 kernel/time/timer.c:1601
+ run_timer_softirq+0x21/0x80 kernel/time/timer.c:1614
+ __do_softirq+0x2f5/0xba3 kernel/softirq.c:284
+ invoke_softirq kernel/softirq.c:364 [inline]
+ irq_exit+0x1cc/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:638 [inline]
+ smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:1044
+ apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:702
+RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:824 [inline]
+RIP: 0010:__raw_write_unlock_irq include/linux/rwlock_api_smp.h:267 [inline]
+RIP: 0010:_raw_write_unlock_irq+0x56/0x70 kernel/locking/spinlock.c:343
+RSP: 0018:ffff8801cd50eaa8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10
+RAX: dffffc0000000000 RBX: ffffffff85a090c0 RCX: 0000000000000006
+RDX: 1ffffffff0b595f3 RSI: 1ffff1003962f989 RDI: ffffffff85acaf98
+RBP: ffff8801cd50eab0 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801cc96ea60
+R13: dffffc0000000000 R14: ffff8801cc96e4c0 R15: ffff8801cc96e4c0
+ </IRQ>
+ release_task+0xe9e/0x1a40 kernel/exit.c:220
+ wait_task_zombie kernel/exit.c:1162 [inline]
+ wait_consider_task+0x29b8/0x33c0 kernel/exit.c:1389
+ do_wait_thread kernel/exit.c:1452 [inline]
+ do_wait+0x441/0xa90 kernel/exit.c:1523
+ kernel_wait4+0x1f5/0x370 kernel/exit.c:1665
+ SYSC_wait4+0x134/0x140 kernel/exit.c:1677
+ SyS_wait4+0x2c/0x40 kernel/exit.c:1673
+ call_usermodehelper_exec_sync kernel/kmod.c:286 [inline]
+ call_usermodehelper_exec_work+0x1a0/0x2c0 kernel/kmod.c:323
+ process_one_work+0xbf3/0x1bc0 kernel/workqueue.c:2097
+ worker_thread+0x223/0x1860 kernel/workqueue.c:2231
+ kthread+0x35e/0x430 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:425
+
+Allocated by task 21267:
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
+ kmem_cache_alloc+0x127/0x750 mm/slab.c:3561
+ ccid_new+0x20e/0x390 net/dccp/ccid.c:151
+ dccp_hdlr_ccid+0x27/0x140 net/dccp/feat.c:44
+ __dccp_feat_activate+0x142/0x2a0 net/dccp/feat.c:344
+ dccp_feat_activate_values+0x34e/0xa90 net/dccp/feat.c:1538
+ dccp_rcv_request_sent_state_process net/dccp/input.c:472 [inline]
+ dccp_rcv_state_process+0xed1/0x1620 net/dccp/input.c:677
+ dccp_v4_do_rcv+0xeb/0x160 net/dccp/ipv4.c:679
+ sk_backlog_rcv include/net/sock.h:911 [inline]
+ __release_sock+0x124/0x360 net/core/sock.c:2269
+ release_sock+0xa4/0x2a0 net/core/sock.c:2784
+ inet_wait_for_connect net/ipv4/af_inet.c:557 [inline]
+ __inet_stream_connect+0x671/0xf00 net/ipv4/af_inet.c:643
+ inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:682
+ SYSC_connect+0x204/0x470 net/socket.c:1642
+ SyS_connect+0x24/0x30 net/socket.c:1623
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Freed by task 3049:
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
+ __cache_free mm/slab.c:3503 [inline]
+ kmem_cache_free+0x77/0x280 mm/slab.c:3763
+ ccid_hc_tx_delete+0xc5/0x100 net/dccp/ccid.c:190
+ dccp_destroy_sock+0x1d1/0x2b0 net/dccp/proto.c:225
+ inet_csk_destroy_sock+0x166/0x3f0 net/ipv4/inet_connection_sock.c:833
+ dccp_done+0xb7/0xd0 net/dccp/proto.c:145
+ dccp_time_wait+0x13d/0x300 net/dccp/minisocks.c:72
+ dccp_rcv_reset+0x1d1/0x5b0 net/dccp/input.c:160
+ dccp_rcv_state_process+0x8fc/0x1620 net/dccp/input.c:663
+ dccp_v4_do_rcv+0xeb/0x160 net/dccp/ipv4.c:679
+ sk_backlog_rcv include/net/sock.h:911 [inline]
+ __sk_receive_skb+0x33e/0xc00 net/core/sock.c:521
+ dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:871
+ ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:248 [inline]
+ ip_local_deliver+0x1ce/0x6d0 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:477 [inline]
+ ip_rcv_finish+0x8db/0x19c0 net/ipv4/ip_input.c:397
+ NF_HOOK include/linux/netfilter.h:248 [inline]
+ ip_rcv+0xc3f/0x17d0 net/ipv4/ip_input.c:488
+ __netif_receive_skb_core+0x19af/0x33d0 net/core/dev.c:4417
+ __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4455
+ process_backlog+0x203/0x740 net/core/dev.c:5130
+ napi_poll net/core/dev.c:5527 [inline]
+ net_rx_action+0x792/0x1910 net/core/dev.c:5593
+ __do_softirq+0x2f5/0xba3 kernel/softirq.c:284
+
+The buggy address belongs to the object at ffff8801d2660100
+ which belongs to the cache ccid2_hc_tx_sock of size 1240
+The buggy address is located 1088 bytes inside of
+ 1240-byte region [ffff8801d2660100, ffff8801d26605d8)
+The buggy address belongs to the page:
+page:ffffea0007499800 count:1 mapcount:0 mapping:ffff8801d2660100 index:0x0 compound_mapcount: 0
+flags: 0x200000000008100(slab|head)
+raw: 0200000000008100 ffff8801d2660100 0000000000000000 0000000100000005
+raw: ffffea00075271a0 ffffea0007538820 ffff8801d3aef9c0 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801d2660400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8801d2660480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8801d2660500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8801d2660580: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+ ffff8801d2660600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+==================================================================
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/proto.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -24,6 +24,7 @@
+ #include <net/checksum.h>
+
+ #include <net/inet_sock.h>
++#include <net/inet_common.h>
+ #include <net/sock.h>
+ #include <net/xfrm.h>
+
+@@ -170,6 +171,15 @@ const char *dccp_packet_name(const int t
+
+ EXPORT_SYMBOL_GPL(dccp_packet_name);
+
++static void dccp_sk_destruct(struct sock *sk)
++{
++ struct dccp_sock *dp = dccp_sk(sk);
++
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_tx_ccid = NULL;
++ inet_sock_destruct(sk);
++}
++
+ int dccp_init_sock(struct sock *sk, const __u8 ctl_sock_initialized)
+ {
+ struct dccp_sock *dp = dccp_sk(sk);
+@@ -179,6 +189,7 @@ int dccp_init_sock(struct sock *sk, cons
+ icsk->icsk_syn_retries = sysctl_dccp_request_retries;
+ sk->sk_state = DCCP_CLOSED;
+ sk->sk_write_space = dccp_write_space;
++ sk->sk_destruct = dccp_sk_destruct;
+ icsk->icsk_sync_mss = dccp_sync_mss;
+ dp->dccps_mss_cache = 536;
+ dp->dccps_rate_last = jiffies;
+@@ -219,8 +230,7 @@ void dccp_destroy_sock(struct sock *sk)
+ dp->dccps_hc_rx_ackvec = NULL;
+ }
+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
+- ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
+- dp->dccps_hc_rx_ccid = dp->dccps_hc_tx_ccid = NULL;
++ dp->dccps_hc_rx_ccid = NULL;
+
+ /* clean up feature negotiation state */
+ dccp_feat_list_purge(&dp->dccps_featneg);
--- /dev/null
+From foo@baz Thu Aug 24 17:49:47 PDT 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 14 Aug 2017 14:10:25 -0700
+Subject: dccp: purge write queue in dccp_destroy_sock()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7749d4ff88d31b0be17c8683143135adaaadc6a7 ]
+
+syzkaller reported that DCCP could have a non empty
+write queue at dismantle time.
+
+WARNING: CPU: 1 PID: 2953 at net/core/stream.c:199 sk_stream_kill_queues+0x3ce/0x520 net/core/stream.c:199
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 1 PID: 2953 Comm: syz-executor0 Not tainted 4.13.0-rc4+ #2
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:52
+ panic+0x1e4/0x417 kernel/panic.c:180
+ __warn+0x1c4/0x1d9 kernel/panic.c:541
+ report_bug+0x211/0x2d0 lib/bug.c:183
+ fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:190
+ do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
+ do_trap+0x260/0x390 arch/x86/kernel/traps.c:273
+ do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:310
+ do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
+ invalid_op+0x1e/0x30 arch/x86/entry/entry_64.S:846
+RIP: 0010:sk_stream_kill_queues+0x3ce/0x520 net/core/stream.c:199
+RSP: 0018:ffff8801d182f108 EFLAGS: 00010297
+RAX: ffff8801d1144140 RBX: ffff8801d13cb280 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff85137b00 RDI: ffff8801d13cb280
+RBP: ffff8801d182f148 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801d13cb4d0
+R13: ffff8801d13cb3b8 R14: ffff8801d13cb300 R15: ffff8801d13cb3b8
+ inet_csk_destroy_sock+0x175/0x3f0 net/ipv4/inet_connection_sock.c:835
+ dccp_close+0x84d/0xc10 net/dccp/proto.c:1067
+ inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ sock_close+0x16/0x20 net/socket.c:1126
+ __fput+0x327/0x7e0 fs/file_table.c:210
+ ____fput+0x15/0x20 fs/file_table.c:246
+ task_work_run+0x18a/0x260 kernel/task_work.c:116
+ exit_task_work include/linux/task_work.h:21 [inline]
+ do_exit+0xa32/0x1b10 kernel/exit.c:865
+ do_group_exit+0x149/0x400 kernel/exit.c:969
+ get_signal+0x7e8/0x17e0 kernel/signal.c:2330
+ do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
+ exit_to_usermode_loop+0x21c/0x2d0 arch/x86/entry/common.c:157
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath+0x3a7/0x450 arch/x86/entry/common.c:263
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/proto.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -201,10 +201,7 @@ void dccp_destroy_sock(struct sock *sk)
+ {
+ struct dccp_sock *dp = dccp_sk(sk);
+
+- /*
+- * DCCP doesn't use sk_write_queue, just sk_send_head
+- * for retransmissions
+- */
++ __skb_queue_purge(&sk->sk_write_queue);
+ if (sk->sk_send_head != NULL) {
+ kfree_skb(sk->sk_send_head);
+ sk->sk_send_head = NULL;
--- /dev/null
+From foo@baz Thu Aug 24 17:49:47 PDT 2017
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 17 Aug 2017 23:14:58 +0100
+Subject: irda: do not leak initialized list.dev to userspace
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit b024d949a3c24255a7ef1a470420eb478949aa4c ]
+
+list.dev has not been initialized and so the copy_to_user is copying
+data from the stack back to user space which is a potential
+information leak. Fix this ensuring all of list is initialized to
+zero.
+
+Detected by CoverityScan, CID#1357894 ("Uninitialized scalar variable")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/irda/af_irda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2251,7 +2251,7 @@ static int irda_getsockopt(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct irda_sock *self = irda_sk(sk);
+- struct irda_device_list list;
++ struct irda_device_list list = { 0 };
+ struct irda_device_info *discoveries;
+ struct irda_ias_set * ias_opt; /* IAS get/query params */
+ struct ias_object * ias_obj; /* Object in IAS */
--- /dev/null
+From foo@baz Thu Aug 24 17:49:47 PDT 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 18 Aug 2017 11:01:36 +0800
+Subject: net: sched: fix NULL pointer dereference when action calls some targets
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 4f8a881acc9d1adaf1e552349a0b1df28933a04c ]
+
+As we know in some target's checkentry it may dereference par.entryinfo
+to check entry stuff inside. But when sched action calls xt_check_target,
+par.entryinfo is set with NULL. It would cause kernel panic when calling
+some targets.
+
+It can be reproduce with:
+ # tc qd add dev eth1 ingress handle ffff:
+ # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \
+ -j ECN --ecn-tcp-remove
+
+It could also crash kernel when using target CLUSTERIP or TPROXY.
+
+By now there's no proper value for par.entryinfo in ipt_init_target,
+but it can not be set with NULL. This patch is to void all these
+panics by setting it with an ipt_entry obj with all members = 0.
+
+Note that this issue has been there since the very beginning.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ipt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sched/act_ipt.c
++++ b/net/sched/act_ipt.c
+@@ -34,6 +34,7 @@ static int ipt_init_target(struct xt_ent
+ {
+ struct xt_tgchk_param par;
+ struct xt_target *target;
++ struct ipt_entry e = {};
+ int ret = 0;
+
+ target = xt_request_find_target(AF_INET, t->u.user.name,
+@@ -44,6 +45,7 @@ static int ipt_init_target(struct xt_ent
+ t->u.kernel.target = target;
+ memset(&par, 0, sizeof(par));
+ par.table = table;
++ par.entryinfo = &e;
+ par.target = target;
+ par.targinfo = t->data;
+ par.hook_mask = hook;
--- /dev/null
+From foo@baz Thu Aug 24 17:49:47 PDT 2017
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Sat, 19 Aug 2017 15:37:07 +0300
+Subject: net_sched: fix order of queue length updates in qdisc_replace()
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+
+[ Upstream commit 68a66d149a8c78ec6720f268597302883e48e9fa ]
+
+This important to call qdisc_tree_reduce_backlog() after changing queue
+length. Parent qdisc should deactivate class in ->qlen_notify() called from
+qdisc_tree_reduce_backlog() but this happens only if qdisc->q.qlen in zero.
+
+Missed class deactivations leads to crashes/warnings at picking packets
+from empty qdisc and corrupting state at reactivating this class in future.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Fixes: 86a7996cc8a0 ("net_sched: introduce qdisc_replace() helper")
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sch_generic.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -699,8 +699,11 @@ static inline struct Qdisc *qdisc_replac
+ old = *pold;
+ *pold = new;
+ if (old != NULL) {
+- qdisc_tree_reduce_backlog(old, old->q.qlen, old->qstats.backlog);
++ unsigned int qlen = old->q.qlen;
++ unsigned int backlog = old->qstats.backlog;
++
+ qdisc_reset(old);
++ qdisc_tree_reduce_backlog(old, qlen, backlog);
+ }
+ sch_tree_unlock(sch);
+
--- /dev/null
+From foo@baz Thu Aug 24 17:49:47 PDT 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Wed, 16 Aug 2017 20:16:40 +0200
+Subject: sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit 15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d ]
+
+KMSAN reported use of uninitialized sctp_addr->v4.sin_addr.s_addr and
+sctp_addr->v6.sin6_scope_id in sctp_v6_cmp_addr() (see below).
+Make sure all fields of an IPv6 address are initialized, which
+guarantees that the IPv4 fields are also initialized.
+
+==================================================================
+ BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0
+ net/sctp/ipv6.c:517
+ CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
+ 01/01/2011
+ Call Trace:
+ dump_stack+0x172/0x1c0 lib/dump_stack.c:42
+ is_logbuf_locked mm/kmsan/kmsan.c:59 [inline]
+ kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938
+ native_save_fl arch/x86/include/asm/irqflags.h:18 [inline]
+ arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline]
+ arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline]
+ __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467
+ sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517
+ sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290
+ sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
+ sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651
+ sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871
+ inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg net/socket.c:643 [inline]
+ SYSC_sendto+0x608/0x710 net/socket.c:1696
+ SyS_sendto+0x8a/0xb0 net/socket.c:1664
+ entry_SYSCALL_64_fastpath+0x13/0x94
+ RIP: 0033:0x44b479
+ RSP: 002b:00007f6213f21c08 EFLAGS: 00000286 ORIG_RAX: 000000000000002c
+ RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 000000000044b479
+ RDX: 0000000000000041 RSI: 0000000020edd000 RDI: 0000000000000006
+ RBP: 00000000007080a8 R08: 0000000020b85fe4 R09: 000000000000001c
+ R10: 0000000000040005 R11: 0000000000000286 R12: 00000000ffffffff
+ R13: 0000000000003760 R14: 00000000006e5820 R15: 0000000000ff8000
+ origin description: ----dst_saddr@sctp_v6_get_dst
+ local variable created at:
+ sk_fullsock include/net/sock.h:2321 [inline]
+ inet6_sk include/linux/ipv6.h:309 [inline]
+ sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241
+ sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
+==================================================================
+ BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0
+ net/sctp/ipv6.c:517
+ CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
+ 01/01/2011
+ Call Trace:
+ dump_stack+0x172/0x1c0 lib/dump_stack.c:42
+ is_logbuf_locked mm/kmsan/kmsan.c:59 [inline]
+ kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938
+ native_save_fl arch/x86/include/asm/irqflags.h:18 [inline]
+ arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline]
+ arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline]
+ __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467
+ sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517
+ sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290
+ sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
+ sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651
+ sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871
+ inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg net/socket.c:643 [inline]
+ SYSC_sendto+0x608/0x710 net/socket.c:1696
+ SyS_sendto+0x8a/0xb0 net/socket.c:1664
+ entry_SYSCALL_64_fastpath+0x13/0x94
+ RIP: 0033:0x44b479
+ RSP: 002b:00007f6213f21c08 EFLAGS: 00000286 ORIG_RAX: 000000000000002c
+ RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 000000000044b479
+ RDX: 0000000000000041 RSI: 0000000020edd000 RDI: 0000000000000006
+ RBP: 00000000007080a8 R08: 0000000020b85fe4 R09: 000000000000001c
+ R10: 0000000000040005 R11: 0000000000000286 R12: 00000000ffffffff
+ R13: 0000000000003760 R14: 00000000006e5820 R15: 0000000000ff8000
+ origin description: ----dst_saddr@sctp_v6_get_dst
+ local variable created at:
+ sk_fullsock include/net/sock.h:2321 [inline]
+ inet6_sk include/linux/ipv6.h:309 [inline]
+ sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241
+ sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
+==================================================================
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -509,7 +509,9 @@ static void sctp_v6_to_addr(union sctp_a
+ {
+ addr->sa.sa_family = AF_INET6;
+ addr->v6.sin6_port = port;
++ addr->v6.sin6_flowinfo = 0;
+ addr->v6.sin6_addr = *saddr;
++ addr->v6.sin6_scope_id = 0;
+ }
+
+ /* Compare addresses exactly.
--- /dev/null
+dccp-purge-write-queue-in-dccp_destroy_sock.patch
+dccp-defer-ccid_hc_tx_delete-at-dismantle-time.patch
+sctp-fully-initialize-the-ipv6-address-in-sctp_v6_to_addr.patch
+tcp-when-rearming-rto-if-rto-time-is-in-past-then-fire-rto-asap.patch
+irda-do-not-leak-initialized-list.dev-to-userspace.patch
+net-sched-fix-null-pointer-dereference-when-action-calls-some-targets.patch
+net_sched-fix-order-of-queue-length-updates-in-qdisc_replace.patch
--- /dev/null
+From foo@baz Thu Aug 24 17:49:47 PDT 2017
+From: Neal Cardwell <ncardwell@google.com>
+Date: Wed, 16 Aug 2017 17:53:36 -0400
+Subject: tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
+
+From: Neal Cardwell <ncardwell@google.com>
+
+
+[ Upstream commit cdbeb633ca71a02b7b63bfeb94994bf4e1a0b894 ]
+
+In some situations tcp_send_loss_probe() can realize that it's unable
+to send a loss probe (TLP), and falls back to calling tcp_rearm_rto()
+to schedule an RTO timer. In such cases, sometimes tcp_rearm_rto()
+realizes that the RTO was eligible to fire immediately or at some
+point in the past (delta_us <= 0). Previously in such cases
+tcp_rearm_rto() was scheduling such "overdue" RTOs to happen at now +
+icsk_rto, which caused needless delays of hundreds of milliseconds
+(and non-linear behavior that made reproducible testing
+difficult). This commit changes the logic to schedule "overdue" RTOs
+ASAP, rather than at now + icsk_rto.
+
+Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)")
+Suggested-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2985,8 +2985,7 @@ void tcp_rearm_rto(struct sock *sk)
+ /* delta may not be positive if the socket is locked
+ * when the retrans timer fires and is rescheduled.
+ */
+- if (delta > 0)
+- rto = delta;
++ delta = max(delta, 1);
+ }
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, rto,
+ TCP_RTO_MAX);
projects / thirdparty / kernel / stable-queue.git / commitdiff
