--- /dev/null
+From foo@baz Sun 07 Jun 2020 03:24:36 PM CEST
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Sat, 30 May 2020 11:34:33 +0800
+Subject: devinet: fix memleak in inetdev_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1b49cd71b52403822731dc9f283185d1da355f97 ]
+
+When devinet_sysctl_register() failed, the memory allocated
+in neigh_parms_alloc() should be freed.
+
+Fixes: 20e61da7ffcf ("ipv4: fail early when creating netdev named all or default")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/devinet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -262,6 +262,7 @@ static struct in_device *inetdev_init(st
+ err = devinet_sysctl_register(in_dev);
+ if (err) {
+ in_dev->dead = 1;
++ neigh_parms_release(&arp_tbl, in_dev->arp_parms);
+ in_dev_put(in_dev);
+ in_dev = NULL;
+ goto out;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 03:24:36 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 29 May 2020 11:32:25 -0700
+Subject: l2tp: add sk_family checks to l2tp_validate_socket
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d9a81a225277686eb629938986d97629ea102633 ]
+
+syzbot was able to trigger a crash after using an ISDN socket
+and fool l2tp.
+
+Fix this by making sure the UDP socket is of the proper family.
+
+BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
+Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018
+
+CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
+ __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
+ kasan_report+0x33/0x50 mm/kasan/common.c:625
+ setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
+ l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523
+ l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:718 [inline]
+ genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735
+ netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:746
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2406
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+RIP: 0033:0x45ca29
+Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
+RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4
+
+Allocated by task 3018:
+ save_stack+0x1b/0x40 mm/kasan/common.c:49
+ set_track mm/kasan/common.c:57 [inline]
+ __kasan_kmalloc mm/kasan/common.c:495 [inline]
+ __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
+ __do_kmalloc mm/slab.c:3656 [inline]
+ __kmalloc+0x161/0x7a0 mm/slab.c:3665
+ kmalloc include/linux/slab.h:560 [inline]
+ sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612
+ sk_alloc+0x36/0x1100 net/core/sock.c:1666
+ data_sock_create drivers/isdn/mISDN/socket.c:600 [inline]
+ mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796
+ __sock_create+0x3cb/0x730 net/socket.c:1428
+ sock_create net/socket.c:1479 [inline]
+ __sys_socket+0xef/0x200 net/socket.c:1521
+ __do_sys_socket net/socket.c:1530 [inline]
+ __se_sys_socket net/socket.c:1528 [inline]
+ __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+Freed by task 2484:
+ save_stack+0x1b/0x40 mm/kasan/common.c:49
+ set_track mm/kasan/common.c:57 [inline]
+ kasan_set_free_info mm/kasan/common.c:317 [inline]
+ __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
+ __cache_free mm/slab.c:3426 [inline]
+ kfree+0x109/0x2b0 mm/slab.c:3757
+ kvfree+0x42/0x50 mm/util.c:603
+ __free_fdtable+0x2d/0x70 fs/file.c:31
+ put_files_struct fs/file.c:420 [inline]
+ put_files_struct+0x248/0x2e0 fs/file.c:413
+ exit_files+0x7e/0xa0 fs/file.c:445
+ do_exit+0xb04/0x2dd0 kernel/exit.c:791
+ do_group_exit+0x125/0x340 kernel/exit.c:894
+ get_signal+0x47b/0x24e0 kernel/signal.c:2739
+ do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784
+ exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161
+ prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
+ do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+The buggy address belongs to the object at ffff88808ed0c000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 1424 bytes inside of
+ 2048-byte region [ffff88808ed0c000, ffff88808ed0c800)
+The buggy address belongs to the page:
+page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0xfffe0000000200(slab)
+raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00
+raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation")
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Cc: Guillaume Nault <gnault@redhat.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1589,6 +1589,8 @@ int l2tp_tunnel_create(struct net *net,
+ tunnel_id, fd);
+ goto err;
+ }
++ if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
++ goto err;
+ switch (encap) {
+ case L2TP_ENCAPTYPE_UDP:
+ if (sk->sk_protocol != IPPROTO_UDP) {
--- /dev/null
+From foo@baz Sun 07 Jun 2020 03:24:36 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 29 May 2020 11:20:53 -0700
+Subject: l2tp: do not use inet_hash()/inet_unhash()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 02c71b144c811bcdd865e0a1226d0407d11357e8 ]
+
+syzbot recently found a way to crash the kernel [1]
+
+Issue here is that inet_hash() & inet_unhash() are currently
+only meant to be used by TCP & DCCP, since only these protocols
+provide the needed hashinfo pointer.
+
+L2TP uses a single list (instead of a hash table)
+
+This old bug became an issue after commit 610236587600
+("bpf: Add new cgroup attach type to enable sock modifications")
+since after this commit, sk_common_release() can be called
+while the L2TP socket is still considered 'hashed'.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
+Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
+RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
+RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
+RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
+R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
+R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
+FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ sk_common_release+0xba/0x370 net/core/sock.c:3210
+ inet_create net/ipv4/af_inet.c:390 [inline]
+ inet_create+0x966/0xe00 net/ipv4/af_inet.c:248
+ __sock_create+0x3cb/0x730 net/socket.c:1428
+ sock_create net/socket.c:1479 [inline]
+ __sys_socket+0xef/0x200 net/socket.c:1521
+ __do_sys_socket net/socket.c:1530 [inline]
+ __se_sys_socket net/socket.c:1528 [inline]
+ __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+RIP: 0033:0x441e29
+Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29
+RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000
+Modules linked in:
+---[ end trace 23b6578228ce553e ]---
+RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
+Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
+RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
+RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
+RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
+R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
+R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
+FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip.c | 29 ++++++++++++++++++++++-------
+ net/l2tp/l2tp_ip6.c | 30 ++++++++++++++++++++++--------
+ 2 files changed, 44 insertions(+), 15 deletions(-)
+
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -24,7 +24,6 @@
+ #include <net/icmp.h>
+ #include <net/udp.h>
+ #include <net/inet_common.h>
+-#include <net/inet_hashtables.h>
+ #include <net/tcp_states.h>
+ #include <net/protocol.h>
+ #include <net/xfrm.h>
+@@ -215,15 +214,31 @@ discard:
+ return 0;
+ }
+
+-static int l2tp_ip_open(struct sock *sk)
++static int l2tp_ip_hash(struct sock *sk)
+ {
+- /* Prevent autobind. We don't have ports. */
+- inet_sk(sk)->inet_num = IPPROTO_L2TP;
++ if (sk_unhashed(sk)) {
++ write_lock_bh(&l2tp_ip_lock);
++ sk_add_node(sk, &l2tp_ip_table);
++ write_unlock_bh(&l2tp_ip_lock);
++ }
++ return 0;
++}
+
++static void l2tp_ip_unhash(struct sock *sk)
++{
++ if (sk_unhashed(sk))
++ return;
+ write_lock_bh(&l2tp_ip_lock);
+- sk_add_node(sk, &l2tp_ip_table);
++ sk_del_node_init(sk);
+ write_unlock_bh(&l2tp_ip_lock);
++}
++
++static int l2tp_ip_open(struct sock *sk)
++{
++ /* Prevent autobind. We don't have ports. */
++ inet_sk(sk)->inet_num = IPPROTO_L2TP;
+
++ l2tp_ip_hash(sk);
+ return 0;
+ }
+
+@@ -605,8 +620,8 @@ static struct proto l2tp_ip_prot = {
+ .sendmsg = l2tp_ip_sendmsg,
+ .recvmsg = l2tp_ip_recvmsg,
+ .backlog_rcv = l2tp_ip_backlog_recv,
+- .hash = inet_hash,
+- .unhash = inet_unhash,
++ .hash = l2tp_ip_hash,
++ .unhash = l2tp_ip_unhash,
+ .obj_size = sizeof(struct l2tp_ip_sock),
+ #ifdef CONFIG_COMPAT
+ .compat_setsockopt = compat_ip_setsockopt,
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -24,8 +24,6 @@
+ #include <net/icmp.h>
+ #include <net/udp.h>
+ #include <net/inet_common.h>
+-#include <net/inet_hashtables.h>
+-#include <net/inet6_hashtables.h>
+ #include <net/tcp_states.h>
+ #include <net/protocol.h>
+ #include <net/xfrm.h>
+@@ -229,15 +227,31 @@ discard:
+ return 0;
+ }
+
+-static int l2tp_ip6_open(struct sock *sk)
++static int l2tp_ip6_hash(struct sock *sk)
+ {
+- /* Prevent autobind. We don't have ports. */
+- inet_sk(sk)->inet_num = IPPROTO_L2TP;
++ if (sk_unhashed(sk)) {
++ write_lock_bh(&l2tp_ip6_lock);
++ sk_add_node(sk, &l2tp_ip6_table);
++ write_unlock_bh(&l2tp_ip6_lock);
++ }
++ return 0;
++}
+
++static void l2tp_ip6_unhash(struct sock *sk)
++{
++ if (sk_unhashed(sk))
++ return;
+ write_lock_bh(&l2tp_ip6_lock);
+- sk_add_node(sk, &l2tp_ip6_table);
++ sk_del_node_init(sk);
+ write_unlock_bh(&l2tp_ip6_lock);
++}
++
++static int l2tp_ip6_open(struct sock *sk)
++{
++ /* Prevent autobind. We don't have ports. */
++ inet_sk(sk)->inet_num = IPPROTO_L2TP;
+
++ l2tp_ip6_hash(sk);
+ return 0;
+ }
+
+@@ -742,8 +756,8 @@ static struct proto l2tp_ip6_prot = {
+ .sendmsg = l2tp_ip6_sendmsg,
+ .recvmsg = l2tp_ip6_recvmsg,
+ .backlog_rcv = l2tp_ip6_backlog_recv,
+- .hash = inet6_hash,
+- .unhash = inet_unhash,
++ .hash = l2tp_ip6_hash,
++ .unhash = l2tp_ip6_unhash,
+ .obj_size = sizeof(struct l2tp_ip6_sock),
+ #ifdef CONFIG_COMPAT
+ .compat_setsockopt = compat_ipv6_setsockopt,
--- /dev/null
+From foo@baz Sun 07 Jun 2020 03:24:36 PM CEST
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 25 May 2020 15:07:40 -0400
+Subject: net: check untrusted gso_size at kernel entry
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 6dd912f82680761d8fb6b1bb274a69d4c7010988 ]
+
+Syzkaller again found a path to a kernel crash through bad gso input:
+a packet with gso size exceeding len.
+
+These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment.
+But they may affect gso size calculations earlier in the path.
+
+Now that we have thlen as of commit 9274124f023b ("net: stricter
+validation of untrusted gso packets"), check gso_size at entry too.
+
+Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -31,6 +31,7 @@ static inline int virtio_net_hdr_to_skb(
+ {
+ unsigned int gso_type = 0;
+ unsigned int thlen = 0;
++ unsigned int p_off = 0;
+ unsigned int ip_proto;
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+@@ -68,7 +69,8 @@ static inline int virtio_net_hdr_to_skb(
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
+
+- if (skb_transport_offset(skb) + thlen > skb_headlen(skb))
++ p_off = skb_transport_offset(skb) + thlen;
++ if (p_off > skb_headlen(skb))
+ return -EINVAL;
+ } else {
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+@@ -90,17 +92,25 @@ retry:
+ return -EINVAL;
+ }
+
+- if (keys.control.thoff + thlen > skb_headlen(skb) ||
++ p_off = keys.control.thoff + thlen;
++ if (p_off > skb_headlen(skb) ||
+ keys.basic.ip_proto != ip_proto)
+ return -EINVAL;
+
+ skb_set_transport_header(skb, keys.control.thoff);
++ } else if (gso_type) {
++ p_off = thlen;
++ if (p_off > skb_headlen(skb))
++ return -EINVAL;
+ }
+ }
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size);
+
++ if (skb->len - p_off <= gso_size)
++ return -EINVAL;
++
+ skb_shinfo(skb)->gso_size = gso_size;
+ skb_shinfo(skb)->gso_type = gso_type;
+
--- /dev/null
+From foo@baz Sun 07 Jun 2020 03:24:36 PM CEST
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Mon, 25 May 2020 23:25:37 +0200
+Subject: net: usb: qmi_wwan: add Telit LE910C1-EUX composition
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+[ Upstream commit 591612aa578cd7148b7b9d74869ef40118978389 ]
+
+Add support for Telit LE910C1-EUX composition
+
+0x1031: tty, tty, tty, rmnet
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1249,6 +1249,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */
+ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
--- /dev/null
+From foo@baz Sun 07 Jun 2020 03:24:36 PM CEST
+From: Chuhong Yuan <hslester96@gmail.com>
+Date: Thu, 28 May 2020 18:20:37 +0800
+Subject: NFC: st21nfca: add missed kfree_skb() in an error path
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 3decabdc714ca56c944f4669b4cdec5c2c1cea23 ]
+
+st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path.
+Add the missed function call to fix it.
+
+Fixes: 1892bf844ea0 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/dep.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nfc/st21nfca/dep.c
++++ b/drivers/nfc/st21nfca/dep.c
+@@ -184,8 +184,10 @@ static int st21nfca_tm_send_atr_res(stru
+ memcpy(atr_res->gbi, atr_req->gbi, gb_len);
+ r = nfc_set_remote_general_bytes(hdev->ndev, atr_res->gbi,
+ gb_len);
+- if (r < 0)
++ if (r < 0) {
++ kfree_skb(skb);
+ return r;
++ }
+ }
+
+ info->dep_info.curr_nfc_dep_pni = 0;
mmc-fix-compilation-of-user-api.patch
scsi-ufs-release-clock-if-dma-map-fails.patch
airo-fix-read-overflows-sending-packets.patch
+devinet-fix-memleak-in-inetdev_init.patch
+l2tp-do-not-use-inet_hash-inet_unhash.patch
+net-usb-qmi_wwan-add-telit-le910c1-eux-composition.patch
+nfc-st21nfca-add-missed-kfree_skb-in-an-error-path.patch
+vsock-fix-timeout-in-vsock_accept.patch
+net-check-untrusted-gso_size-at-kernel-entry.patch
+l2tp-add-sk_family-checks-to-l2tp_validate_socket.patch
--- /dev/null
+From foo@baz Sun 07 Jun 2020 03:24:36 PM CEST
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Wed, 27 May 2020 09:56:55 +0200
+Subject: vsock: fix timeout in vsock_accept()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 ]
+
+The accept(2) is an "input" socket interface, so we should use
+SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
+
+So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
+use the right timeout in the vsock_accept().
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1290,7 +1290,7 @@ static int vsock_accept(struct socket *s
+ /* Wait for children sockets to appear; these are the new sockets
+ * created upon connection establishment.
+ */
+- timeout = sock_sndtimeo(listener, flags & O_NONBLOCK);
++ timeout = sock_rcvtimeo(listener, flags & O_NONBLOCK);
+ prepare_to_wait(sk_sleep(listener), &wait, TASK_INTERRUPTIBLE);
+
+ while ((connected = vsock_dequeue_accept(listener)) == NULL &&
projects / thirdparty / kernel / stable-queue.git / commitdiff
