--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:45 +0800
+Subject: bonding: fix the err path for dev hwaddr sync in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 5c78f6bfae2b10ff70e21d343e64584ea6280c26 ]
+
+vlan_vids_add_by_dev is called right after dev hwaddr sync, so on
+the err path it should unsync dev hwaddr. Otherwise, the slave
+dev's hwaddr will never be unsync when this err happens.
+
+Fixes: 1ff412ad7714 ("bonding: change the bond's vlan syncing functions with the standard ones")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1421,7 +1421,7 @@ int bond_enslave(struct net_device *bond
+ if (res) {
+ netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
+ slave_dev->name);
+- goto err_close;
++ goto err_hwaddr_unsync;
+ }
+
+ prev_slave = bond_last_slave(bond);
+@@ -1596,9 +1596,6 @@ err_unregister:
+ netdev_rx_handler_unregister(slave_dev);
+
+ err_detach:
+- if (!bond_uses_primary(bond))
+- bond_hw_addr_flush(bond_dev, slave_dev);
+-
+ vlan_vids_del_by_dev(slave_dev, bond_dev);
+ if (rcu_access_pointer(bond->primary_slave) == new_slave)
+ RCU_INIT_POINTER(bond->primary_slave, NULL);
+@@ -1612,6 +1609,10 @@ err_detach:
+ synchronize_rcu();
+ slave_disable_netpoll(new_slave);
+
++err_hwaddr_unsync:
++ if (!bond_uses_primary(bond))
++ bond_hw_addr_flush(bond_dev, slave_dev);
++
+ err_close:
+ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:46 +0800
+Subject: bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ae42cc62a9f07f1f6979054ed92606b9c30f4a2e ]
+
+Beniamino found a crash when adding vlan as slave of bond which is also
+the parent link:
+
+ ip link add bond1 type bond
+ ip link set bond1 up
+ ip link add link bond1 vlan1 type vlan id 80
+ ip link set vlan1 master bond1
+
+The call trace is as below:
+
+ [<ffffffffa850842a>] queued_spin_lock_slowpath+0xb/0xf
+ [<ffffffffa8515680>] _raw_spin_lock+0x20/0x30
+ [<ffffffffa83f6f07>] dev_mc_sync+0x37/0x80
+ [<ffffffffc08687dc>] vlan_dev_set_rx_mode+0x1c/0x30 [8021q]
+ [<ffffffffa83efd2a>] __dev_set_rx_mode+0x5a/0xa0
+ [<ffffffffa83f7138>] dev_mc_sync_multiple+0x78/0x80
+ [<ffffffffc084127c>] bond_enslave+0x67c/0x1190 [bonding]
+ [<ffffffffa8401909>] do_setlink+0x9c9/0xe50
+ [<ffffffffa8403bf2>] rtnl_newlink+0x522/0x880
+ [<ffffffffa8403ff7>] rtnetlink_rcv_msg+0xa7/0x260
+ [<ffffffffa8424ecb>] netlink_rcv_skb+0xab/0xc0
+ [<ffffffffa83fe498>] rtnetlink_rcv+0x28/0x30
+ [<ffffffffa8424850>] netlink_unicast+0x170/0x210
+ [<ffffffffa8424bf8>] netlink_sendmsg+0x308/0x420
+ [<ffffffffa83cc396>] sock_sendmsg+0xb6/0xf0
+
+This is actually a dead lock caused by sync slave hwaddr from master when
+the master is the slave's 'slave'. This dead loop check is actually done
+by netdev_master_upper_dev_link. However, Commit 1f718f0f4f97 ("bonding:
+populate neighbour's private on enslave") moved it after dev_mc_sync.
+
+This patch is to fix it by moving dev_mc_sync after master_upper_dev_link,
+so that this loop check would be earlier than dev_mc_sync. It also moves
+if (mode == BOND_MODE_8023AD) into if (!bond_uses_primary) clause as an
+improvement.
+
+Note team driver also has this issue, I will fix it in another patch.
+
+Fixes: 1f718f0f4f97 ("bonding: populate neighbour's private on enslave")
+Reported-by: Beniamino Galvani <bgalvani@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 73 +++++++++++++++++++---------------------
+ 1 file changed, 35 insertions(+), 38 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1384,44 +1384,11 @@ int bond_enslave(struct net_device *bond
+ goto err_close;
+ }
+
+- /* If the mode uses primary, then the following is handled by
+- * bond_change_active_slave().
+- */
+- if (!bond_uses_primary(bond)) {
+- /* set promiscuity level to new slave */
+- if (bond_dev->flags & IFF_PROMISC) {
+- res = dev_set_promiscuity(slave_dev, 1);
+- if (res)
+- goto err_close;
+- }
+-
+- /* set allmulti level to new slave */
+- if (bond_dev->flags & IFF_ALLMULTI) {
+- res = dev_set_allmulti(slave_dev, 1);
+- if (res)
+- goto err_close;
+- }
+-
+- netif_addr_lock_bh(bond_dev);
+-
+- dev_mc_sync_multiple(slave_dev, bond_dev);
+- dev_uc_sync_multiple(slave_dev, bond_dev);
+-
+- netif_addr_unlock_bh(bond_dev);
+- }
+-
+- if (BOND_MODE(bond) == BOND_MODE_8023AD) {
+- /* add lacpdu mc addr to mc list */
+- u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
+-
+- dev_mc_add(slave_dev, lacpdu_multicast);
+- }
+-
+ res = vlan_vids_add_by_dev(slave_dev, bond_dev);
+ if (res) {
+ netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
+ slave_dev->name);
+- goto err_hwaddr_unsync;
++ goto err_close;
+ }
+
+ prev_slave = bond_last_slave(bond);
+@@ -1567,6 +1534,37 @@ int bond_enslave(struct net_device *bond
+ goto err_upper_unlink;
+ }
+
++ /* If the mode uses primary, then the following is handled by
++ * bond_change_active_slave().
++ */
++ if (!bond_uses_primary(bond)) {
++ /* set promiscuity level to new slave */
++ if (bond_dev->flags & IFF_PROMISC) {
++ res = dev_set_promiscuity(slave_dev, 1);
++ if (res)
++ goto err_sysfs_del;
++ }
++
++ /* set allmulti level to new slave */
++ if (bond_dev->flags & IFF_ALLMULTI) {
++ res = dev_set_allmulti(slave_dev, 1);
++ if (res)
++ goto err_sysfs_del;
++ }
++
++ netif_addr_lock_bh(bond_dev);
++ dev_mc_sync_multiple(slave_dev, bond_dev);
++ dev_uc_sync_multiple(slave_dev, bond_dev);
++ netif_addr_unlock_bh(bond_dev);
++
++ if (BOND_MODE(bond) == BOND_MODE_8023AD) {
++ /* add lacpdu mc addr to mc list */
++ u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
++
++ dev_mc_add(slave_dev, lacpdu_multicast);
++ }
++ }
++
+ bond->slave_cnt++;
+ bond_compute_features(bond);
+ bond_set_carrier(bond);
+@@ -1589,6 +1587,9 @@ int bond_enslave(struct net_device *bond
+ return 0;
+
+ /* Undo stages on error */
++err_sysfs_del:
++ bond_sysfs_slave_del(new_slave);
++
+ err_upper_unlink:
+ bond_upper_dev_unlink(bond_dev, slave_dev);
+
+@@ -1609,10 +1610,6 @@ err_detach:
+ synchronize_rcu();
+ slave_disable_netpoll(new_slave);
+
+-err_hwaddr_unsync:
+- if (!bond_uses_primary(bond))
+- bond_hw_addr_flush(bond_dev, slave_dev);
+-
+ err_close:
+ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:47 +0800
+Subject: bonding: process the err returned by dev_set_allmulti properly in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 9f5a90c107741b864398f4ac0014711a8c1d8474 ]
+
+When dev_set_promiscuity(1) succeeds but dev_set_allmulti(1) fails,
+dev_set_promiscuity(-1) should be done before going to the err path.
+Otherwise, dev->promiscuity will leak.
+
+Fixes: 7e1a1ac1fbaa ("bonding: Check return of dev_set_promiscuity/allmulti")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1548,8 +1548,11 @@ int bond_enslave(struct net_device *bond
+ /* set allmulti level to new slave */
+ if (bond_dev->flags & IFF_ALLMULTI) {
+ res = dev_set_allmulti(slave_dev, 1);
+- if (res)
++ if (res) {
++ if (bond_dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(slave_dev, -1);
+ goto err_sysfs_del;
++ }
+ }
+
+ netif_addr_lock_bh(bond_dev);
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:29 -0700
+Subject: ip6_gre: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 5f42df013b8bc1b6511af7a04bf93b014884ae2a ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
+Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466
+
+CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
+ ip6gre_tunnel_ioctl+0x69d/0x12e0 net/ipv6/ip6_gre.c:1195
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -320,11 +320,13 @@ static struct ip6_tnl *ip6gre_tunnel_loc
+ if (t || !create)
+ return t;
+
+- if (parms->name[0])
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ return NULL;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else
++ } else {
+ strcpy(name, "ip6gre%d");
+-
++ }
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ip6gre_tunnel_setup);
+ if (!dev)
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:30 -0700
+Subject: ip6_tunnel: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257 ]
+
+Use valid_name() to make sure user does not provide illegal
+device name.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -307,10 +307,13 @@ static struct ip6_tnl *ip6_tnl_create(st
+ char name[IFNAMSIZ];
+ int err;
+
+- if (p->name[0])
++ if (p->name[0]) {
++ if (!dev_valid_name(p->name))
++ goto failed;
+ strlcpy(name, p->name, IFNAMSIZ);
+- else
++ } else {
+ sprintf(name, "ip6tnl%%d");
++ }
+
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ip6_tnl_dev_setup);
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:27 -0700
+Subject: ip_tunnel: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 9cb726a212a82c88c98aa9f0037fd04777cd8fe5 ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
+Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482
+
+CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
+ ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline]
+ ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861
+ ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -302,13 +302,14 @@ static struct net_device *__ip_tunnel_cr
+ struct net_device *dev;
+ char name[IFNAMSIZ];
+
+- if (parms->name[0])
++ err = -E2BIG;
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ goto failed;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else {
+- if (strlen(ops->kind) > (IFNAMSIZ - 3)) {
+- err = -E2BIG;
++ } else {
++ if (strlen(ops->kind) > (IFNAMSIZ - 3))
+ goto failed;
+- }
+ strlcpy(name, ops->kind, IFNAMSIZ);
+ strncat(name, "%d", 2);
+ }
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:28 -0700
+Subject: ipv6: sit: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit b95211e066fc3494b7c115060b2297b4ba21f025 ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
+Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453
+
+CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
+ ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -244,11 +244,13 @@ static struct ip_tunnel *ipip6_tunnel_lo
+ if (!create)
+ goto failed;
+
+- if (parms->name[0])
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ goto failed;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else
++ } else {
+ strcpy(name, "sit%d");
+-
++ }
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ipip6_tunnel_setup);
+ if (dev == NULL)
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 23 Mar 2018 14:47:30 +0100
+Subject: ipv6: the entire IPv6 header chain must fit the first fragment
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+
+[ Upstream commit 10b8a3de603df7b96004179b1b33b1708c76d144 ]
+
+While building ipv6 datagram we currently allow arbitrary large
+extheaders, even beyond pmtu size. The syzbot has found a way
+to exploit the above to trigger the following splat:
+
+kernel BUG at ./include/linux/skbuff.h:2073!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 4230 Comm: syzkaller672661 Not tainted 4.16.0-rc2+ #326
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:__skb_pull include/linux/skbuff.h:2073 [inline]
+RIP: 0010:__ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636
+RSP: 0018:ffff8801bc18f0f0 EFLAGS: 00010293
+RAX: ffff8801b17400c0 RBX: 0000000000000738 RCX: ffffffff84f01828
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801b415ac18
+RBP: ffff8801bc18f360 R08: ffff8801b4576844 R09: 0000000000000000
+R10: ffff8801bc18f380 R11: ffffed00367aee4e R12: 00000000000000d6
+R13: ffff8801b415a740 R14: dffffc0000000000 R15: ffff8801b45767c0
+FS: 0000000001535880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000002000b000 CR3: 00000001b4123001 CR4: 00000000001606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ip6_finish_skb include/net/ipv6.h:969 [inline]
+ udp_v6_push_pending_frames+0x269/0x3b0 net/ipv6/udp.c:1073
+ udpv6_sendmsg+0x2a96/0x3400 net/ipv6/udp.c:1343
+ inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:640
+ ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046
+ __sys_sendmmsg+0x1ee/0x620 net/socket.c:2136
+ SYSC_sendmmsg net/socket.c:2167 [inline]
+ SyS_sendmmsg+0x35/0x60 net/socket.c:2162
+ do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4404c9
+RSP: 002b:00007ffdce35f948 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404c9
+RDX: 0000000000000003 RSI: 0000000020001f00 RDI: 0000000000000003
+RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 0000000020000080 R11: 0000000000000217 R12: 0000000000401df0
+R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000
+Code: ff e8 1d 5e b9 fc e9 15 e9 ff ff e8 13 5e b9 fc e9 44 e8 ff ff e8 29
+5e b9 fc e9 c0 e6 ff ff e8 3f f3 80 fc 0f 0b e8 38 f3 80 fc <0f> 0b 49 8d
+87 80 00 00 00 4d 8d 87 84 00 00 00 48 89 85 20 fe
+RIP: __skb_pull include/linux/skbuff.h:2073 [inline] RSP: ffff8801bc18f0f0
+RIP: __ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 RSP:
+ffff8801bc18f0f0
+
+As stated by RFC 7112 section 5:
+
+ When a host fragments an IPv6 datagram, it MUST include the entire
+ IPv6 Header Chain in the First Fragment.
+
+So this patch addresses the issue dropping datagrams with excessive
+extheader length. It also updates the error path to report to the
+calling socket nonnegative pmtu values.
+
+The issue apparently predates git history.
+
+v1 -> v2: cleanup error path, as per Eric's suggestion
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1151,7 +1151,7 @@ int ip6_append_data(struct sock *sk, int
+ struct ipv6_pinfo *np = inet6_sk(sk);
+ struct inet_cork *cork;
+ struct sk_buff *skb, *skb_prev = NULL;
+- unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu;
++ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, pmtu;
+ int exthdrlen;
+ int dst_exthdrlen;
+ int hh_len;
+@@ -1259,6 +1259,12 @@ int ip6_append_data(struct sock *sk, int
+ else
+ maxnonfragsize = mtu;
+
++ /* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
++ * the first fragment
++ */
++ if (headersize + transhdrlen > mtu)
++ goto emsgsize;
++
+ /* dontfrag active */
+ if ((cork->length + length > mtu - headersize) && dontfrag &&
+ (sk->sk_protocol == IPPROTO_UDP ||
+@@ -1270,9 +1276,8 @@ int ip6_append_data(struct sock *sk, int
+
+ if (cork->length + length > maxnonfragsize - headersize) {
+ emsgsize:
+- ipv6_local_error(sk, EMSGSIZE, fl6,
+- mtu - headersize +
+- sizeof(struct ipv6hdr));
++ pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
++ ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
+ return -EMSGSIZE;
+ }
+ }
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 26 Mar 2018 08:08:07 -0700
+Subject: net: fix possible out-of-bound read in skb_network_protocol()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ]
+
+skb mac header is not necessarily set at the time skb_network_protocol()
+is called. Use skb->data instead.
+
+BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
+Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242
+
+CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x24d lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x23c/0x360 mm/kasan/report.c:412
+ __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
+ skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
+ harmonize_features net/core/dev.c:2924 [inline]
+ netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
+ validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
+ validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
+ packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
+ packet_snd net/packet/af_packet.c:2944 [inline]
+ packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:639
+ ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
+ __sys_sendmsg+0xe5/0x210 net/socket.c:2081
+
+Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Pravin B Shelar <pshelar@ovn.org>
+Reported-by: Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2372,7 +2372,7 @@ __be16 skb_network_protocol(struct sk_bu
+ if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
+ return 0;
+
+- eth = (struct ethhdr *)skb_mac_header(skb);
++ eth = (struct ethhdr *)skb->data;
+ type = eth->h_proto;
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:26 -0700
+Subject: net: fool proof dev_valid_name()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit a9d48205d0aedda021fc3728972a9e9934c2b9de ]
+
+We want to use dev_valid_name() to validate tunnel names,
+so better use strnlen(name, IFNAMSIZ) than strlen(name) to make
+sure to not upset KASAN.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -937,7 +937,7 @@ bool dev_valid_name(const char *name)
+ {
+ if (*name == '\0')
+ return false;
+- if (strlen(name) >= IFNAMSIZ)
++ if (strnlen(name, IFNAMSIZ) == IFNAMSIZ)
+ return false;
+ if (!strcmp(name, ".") || !strcmp(name, ".."))
+ return false;
--- /dev/null
+From foo@baz Wed Apr 11 14:31:43 CEST 2018
+From: Craig Dillabaugh <cdillaba@mojatatu.com>
+Date: Mon, 26 Mar 2018 14:58:32 -0400
+Subject: net sched actions: fix dumping which requires several messages to user space
+
+From: Craig Dillabaugh <cdillaba@mojatatu.com>
+
+
+[ Upstream commit 734549eb550c0c720bc89e50501f1b1e98cdd841 ]
+
+Fixes a bug in the tcf_dump_walker function that can cause some actions
+to not be reported when dumping a large number of actions. This issue
+became more aggrevated when cookies feature was added. In particular
+this issue is manifest when large cookie values are assigned to the
+actions and when enough actions are created that the resulting table
+must be dumped in multiple batches.
+
+The number of actions returned in each batch is limited by the total
+number of actions and the memory buffer size. With small cookies
+the numeric limit is reached before the buffer size limit, which avoids
+the code path triggering this bug. When large cookies are used buffer
+fills before the numeric limit, and the erroneous code path is hit.
+
+For example after creating 32 csum actions with the cookie
+aaaabbbbccccdddd
+
+$ tc actions ls action csum
+total acts 26
+
+ action order 0: csum (tcp) action continue
+ index 1 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+ .....
+
+ action order 25: csum (tcp) action continue
+ index 26 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+total acts 6
+
+ action order 0: csum (tcp) action continue
+ index 28 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+ ......
+
+ action order 5: csum (tcp) action continue
+ index 32 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+Note that the action with index 27 is omitted from the report.
+
+Fixes: 4b3550ef530c ("[NET_SCHED]: Use nla_nest_start/nla_nest_end")"
+Signed-off-by: Craig Dillabaugh <cdillaba@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_api.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -92,8 +92,10 @@ static int tcf_dump_walker(struct sk_buf
+ a->order = n_i;
+
+ nest = nla_nest_start(skb, a->order);
+- if (nest == NULL)
++ if (nest == NULL) {
++ index--;
+ goto nla_put_failure;
++ }
+ err = tcf_action_dump_1(skb, a, 0, 0);
+ if (err < 0) {
+ index--;
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Alexander Potapenko <glider@google.com>
+Date: Fri, 23 Mar 2018 13:49:02 +0100
+Subject: netlink: make sure nladdr has correct size in netlink_connect()
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit 7880287981b60a6808f39f297bb66936e8bdf57a ]
+
+KMSAN reports use of uninitialized memory in the case when |alen| is
+smaller than sizeof(struct sockaddr_nl), and therefore |nladdr| isn't
+fully copied from the userspace.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Fixes: 1da177e4c3f41524 ("Linux-2.6.12-rc2")
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -977,6 +977,9 @@ static int netlink_connect(struct socket
+ if (addr->sa_family != AF_NETLINK)
+ return -EINVAL;
+
++ if (alen < sizeof(struct sockaddr_nl))
++ return -EINVAL;
++
+ if ((nladdr->nl_groups || nladdr->nl_pid) &&
+ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
+ return -EPERM;
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 2 Apr 2018 18:48:37 -0700
+Subject: pptp: remove a buggy dst release in pptp_connect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit bfacfb457b36911a10140b8cb3ce76a74883ac5a ]
+
+Once dst has been cached in socket via sk_setup_caps(),
+it is illegal to call ip_rt_put() (or dst_release()),
+since sk_setup_caps() did not change dst refcount.
+
+We can still dereference it since we hold socket lock.
+
+Caugth by syzbot :
+
+BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
+BUG: KASAN: use-after-free in dst_release+0x27/0xa0 net/core/dst.c:185
+Write of size 4 at addr ffff8801c54dc040 by task syz-executor4/20088
+
+CPU: 1 PID: 20088 Comm: syz-executor4 Not tainted 4.16.0+ #376
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1a7/0x27d lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x23c/0x360 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
+ kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
+ atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
+ dst_release+0x27/0xa0 net/core/dst.c:185
+ sk_dst_set include/net/sock.h:1812 [inline]
+ sk_dst_reset include/net/sock.h:1824 [inline]
+ sock_setbindtodevice net/core/sock.c:610 [inline]
+ sock_setsockopt+0x431/0x1b20 net/core/sock.c:707
+ SYSC_setsockopt net/socket.c:1845 [inline]
+ SyS_setsockopt+0x2ff/0x360 net/socket.c:1828
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4552d9
+RSP: 002b:00007f4878126c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00007f48781276d4 RCX: 00000000004552d9
+RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000013
+RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000
+R10: 00000000200010c0 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000526 R14: 00000000006fac30 R15: 0000000000000000
+
+Allocated by task 20088:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
+ kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542
+ dst_alloc+0x11f/0x1a0 net/core/dst.c:104
+ rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1520
+ __mkroute_output net/ipv4/route.c:2265 [inline]
+ ip_route_output_key_hash_rcu+0xa49/0x2c60 net/ipv4/route.c:2493
+ ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2322
+ __ip_route_output_key include/net/route.h:126 [inline]
+ ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2577
+ ip_route_output_ports include/net/route.h:163 [inline]
+ pptp_connect+0xa84/0x1170 drivers/net/ppp/pptp.c:453
+ SYSC_connect+0x213/0x4a0 net/socket.c:1639
+ SyS_connect+0x24/0x30 net/socket.c:1620
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Freed by task 20082:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
+ __cache_free mm/slab.c:3486 [inline]
+ kmem_cache_free+0x83/0x2a0 mm/slab.c:3744
+ dst_destroy+0x266/0x380 net/core/dst.c:140
+ dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
+ __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
+ rcu_do_batch kernel/rcu/tree.c:2675 [inline]
+ invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline]
+ __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline]
+ rcu_process_callbacks+0xd6c/0x17b0 kernel/rcu/tree.c:2914
+ __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
+
+The buggy address belongs to the object at ffff8801c54dc000
+ which belongs to the cache ip_dst_cache of size 168
+The buggy address is located 64 bytes inside of
+ 168-byte region [ffff8801c54dc000, ffff8801c54dc0a8)
+The buggy address belongs to the page:
+page:ffffea0007153700 count:1 mapcount:0 mapping:ffff8801c54dc000 index:0x0
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffff8801c54dc000 0000000000000000 0000000100000010
+raw: ffffea0006b34b20 ffffea0006b6c1e0 ffff8801d674a1c0 0000000000000000
+page dumped because: kasan: bad access detected
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pptp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -488,7 +488,6 @@ static int pptp_connect(struct socket *s
+ po->chan.mtu = dst_mtu(&rt->dst);
+ if (!po->chan.mtu)
+ po->chan.mtu = PPP_MRU;
+- ip_rt_put(rt);
+ po->chan.mtu -= PPTP_HEADER_OVERHEAD;
+
+ po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header);
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Mon, 26 Mar 2018 19:19:30 +0200
+Subject: r8169: fix setting driver_data after register_netdev
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+
+[ Upstream commit 19c9ea363a244f85f90a424f9936e6d56449e33c ]
+
+pci_set_drvdata() is called only after registering the net_device,
+therefore we could run into a NPE if one of the functions using
+driver_data is called before it's set.
+
+Fix this by calling pci_set_drvdata() before registering the
+net_device.
+
+This fix is a candidate for stable. As far as I can see the
+bug has been there in kernel version 3.2 already, therefore
+I can't provide a reference which commit is fixed by it.
+
+The fix may need small adjustments per kernel version because
+due to other changes the label which is jumped to if
+register_netdev() fails has changed over time.
+
+Reported-by: David Miller <davem@davemloft.net>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -8278,12 +8278,12 @@ static int rtl_init_one(struct pci_dev *
+
+ tp->rtl_fw = RTL_FIRMWARE_UNKNOWN;
+
++ pci_set_drvdata(pdev, dev);
++
+ rc = register_netdev(dev);
+ if (rc < 0)
+ goto err_out_msi_4;
+
+- pci_set_drvdata(pdev, dev);
+-
+ netif_info(tp, probe, dev, "%s at 0x%p, %pM, XID %08x IRQ %d\n",
+ rtl_chip_infos[chipset].name, ioaddr, dev->dev_addr,
+ (u32)(RTL_R32(TxConfig) & 0x9cf0f8ff), pdev->irq);
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 17:15:22 -0700
+Subject: sctp: do not leak kernel memory to user space
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ]
+
+syzbot produced a nice report [1]
+
+Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory
+to user space, because sin_zero (padding field) was not properly cleared.
+
+[1]
+BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
+BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227
+CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
+ kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
+ copy_to_user include/linux/uaccess.h:184 [inline]
+ move_addr_to_user+0x32e/0x530 net/socket.c:227
+ ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+ SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
+ SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x4401c9
+RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9
+RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0
+R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----addr@___sys_recvmsg
+Variable was created at:
+ ___sys_recvmsg+0xd5/0x810 net/socket.c:2172
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+
+Bytes 8-15 of 16 are uninitialized
+
+==================================================================
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ panic+0x39d/0x940 kernel/panic.c:183
+ kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
+ kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
+ kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
+ copy_to_user include/linux/uaccess.h:184 [inline]
+ move_addr_to_user+0x32e/0x530 net/socket.c:227
+ ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+ SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
+ SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -722,8 +722,10 @@ static int sctp_v6_addr_to_user(struct s
+ sctp_v6_map_v4(addr);
+ }
+
+- if (addr->sa.sa_family == AF_INET)
++ if (addr->sa.sa_family == AF_INET) {
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ return sizeof(struct sockaddr_in);
++ }
+ return sizeof(struct sockaddr_in6);
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 8 Apr 2018 07:52:08 -0700
+Subject: sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ]
+
+Check must happen before call to ipv6_addr_v4mapped()
+
+syzbot report was :
+
+BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline]
+BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
+CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ sctp_sockaddr_af net/sctp/socket.c:359 [inline]
+ sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
+ sctp_bind+0x149/0x190 net/sctp/socket.c:332
+ inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293
+ SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
+ SyS_bind+0x54/0x80 net/socket.c:1460
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43fd49
+RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49
+RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670
+R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----address@SYSC_bind
+Variable was created at:
+ SYSC_bind+0x6f/0x4b0 net/socket.c:1461
+ SyS_bind+0x54/0x80 net/socket.c:1460
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -336,11 +336,14 @@ static struct sctp_af *sctp_sockaddr_af(
+ if (!opt->pf->af_supported(addr->sa.sa_family, opt))
+ return NULL;
+
+- /* V4 mapped address are really of AF_INET family */
+- if (addr->sa.sa_family == AF_INET6 &&
+- ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
+- !opt->pf->af_supported(AF_INET, opt))
+- return NULL;
++ if (addr->sa.sa_family == AF_INET6) {
++ if (len < SIN6_LEN_RFC2133)
++ return NULL;
++ /* V4 mapped address are really of AF_INET family */
++ if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
++ !opt->pf->af_supported(AF_INET, opt))
++ return NULL;
++ }
+
+ /* If we get this far, af is valid. */
+ af = sctp_get_af_specific(addr->sa.sa_family);
virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch
random-use-lockless-method-of-accessing-and-updating-f-reg_idx.patch
futex-remove-requirement-for-lock_page-in-get_futex_key.patch
+net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch
+netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch
+pptp-remove-a-buggy-dst-release-in-pptp_connect.patch
+sctp-do-not-leak-kernel-memory-to-user-space.patch
+sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch
+sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch
+vhost-correctly-remove-wait-queue-during-poll-failure.patch
+bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch
+bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch
+bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch
+net-fool-proof-dev_valid_name.patch
+ip_tunnel-better-validate-user-provided-tunnel-names.patch
+ipv6-sit-better-validate-user-provided-tunnel-names.patch
+ip6_gre-better-validate-user-provided-tunnel-names.patch
+vti6-better-validate-user-provided-tunnel-names.patch
+ip6_tunnel-better-validate-user-provided-tunnel-names.patch
+r8169-fix-setting-driver_data-after-register_netdev.patch
+net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch
+ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Sat, 31 Mar 2018 23:42:03 +0800
+Subject: sky2: Increase D3 delay to sky2 stops working after suspend
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+
+[ Upstream commit afb133637071be6deeb8b3d0e55593ffbf63c527 ]
+
+The sky2 ethernet stops working after system resume from suspend:
+[ 582.852065] sky2 0000:04:00.0: Refused to change power state, currently in D3
+
+The current 150ms delay is not enough, change it to 200ms can solve the
+issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1758507
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -5069,7 +5069,7 @@ static int sky2_probe(struct pci_dev *pd
+ INIT_WORK(&hw->restart_work, sky2_restart);
+
+ pci_set_drvdata(pdev, hw);
+- pdev->d3_delay = 150;
++ pdev->d3_delay = 200;
+
+ return 0;
+
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 27 Mar 2018 20:50:52 +0800
+Subject: vhost: correctly remove wait queue during poll failure
+
+From: Jason Wang <jasowang@redhat.com>
+
+
+[ Upstream commit dc6455a71c7fc5117977e197f67f71b49f27baba ]
+
+We tried to remove vq poll from wait queue, but do not check whether
+or not it was in a list before. This will lead double free. Fixing
+this by switching to use vhost_poll_stop() which zeros poll->wqh after
+removing poll from waitqueue to make sure it won't be freed twice.
+
+Cc: Darren Kenny <darren.kenny@oracle.com>
+Reported-by: syzbot+c0272972b01b872e604a@syzkaller.appspotmail.com
+Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -96,8 +96,7 @@ int vhost_poll_start(struct vhost_poll *
+ if (mask)
+ vhost_poll_wakeup(&poll->wait, 0, 0, (void *)mask);
+ if (mask & POLLERR) {
+- if (poll->wqh)
+- remove_wait_queue(poll->wqh, &poll->wait);
++ vhost_poll_stop(poll);
+ ret = -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 15:07:37 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:31 -0700
+Subject: vti6: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 537b361fbcbcc3cd6fe2bb47069fd292b9256d16 ]
+
+Use valid_name() to make sure user does not provide illegal
+device name.
+
+Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -195,10 +195,13 @@ static struct ip6_tnl *vti6_tnl_create(s
+ char name[IFNAMSIZ];
+ int err;
+
+- if (p->name[0])
++ if (p->name[0]) {
++ if (!dev_valid_name(p->name))
++ goto failed;
+ strlcpy(name, p->name, IFNAMSIZ);
+- else
++ } else {
+ sprintf(name, "ip6_vti%%d");
++ }
+
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup);
+ if (dev == NULL)
projects / thirdparty / kernel / stable-queue.git / commitdiff
