--- /dev/null
+From 863204cfdae98626a92535ac928ad79f4d6b74ff Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 6 Dec 2017 14:17:17 +0100
+Subject: ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 863204cfdae98626a92535ac928ad79f4d6b74ff upstream.
+
+In configurations without CONFIG_OMAP3 but with secure RAM support,
+we now run into a link failure:
+
+arch/arm/mach-omap2/omap-secure.o: In function `omap3_save_secure_ram':
+omap-secure.c:(.text+0x130): undefined reference to `save_secure_ram_context'
+
+The omap3_save_secure_ram() function is only called from the OMAP34xx
+power management code, so we can simply hide that function in the
+appropriate #ifdef.
+
+Fixes: d09220a887f7 ("ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context")
+Acked-by: Tony Lindgren <tony@atomide.com>
+Tested-by: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap-secure.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/mach-omap2/omap-secure.c
++++ b/arch/arm/mach-omap2/omap-secure.c
+@@ -73,6 +73,7 @@ phys_addr_t omap_secure_ram_mempool_base
+ return omap_secure_memblock_base;
+ }
+
++#if defined(CONFIG_ARCH_OMAP3) && defined(CONFIG_PM)
+ u32 omap3_save_secure_ram(void __iomem *addr, int size)
+ {
+ u32 ret;
+@@ -91,6 +92,7 @@ u32 omap3_save_secure_ram(void __iomem *
+
+ return ret;
+ }
++#endif
+
+ /**
+ * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls
--- /dev/null
+From 9dd46c02532a6bed6240101ecf4bbc407f8c6adf Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 13 Feb 2017 15:45:59 -0800
+Subject: Input: tca8418_keypad - remove double read of key event register
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 9dd46c02532a6bed6240101ecf4bbc407f8c6adf upstream.
+
+There is no need to tread the same register twice in a row.
+
+Fixes: ea4348c8462a ("Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-un ...")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/keyboard/tca8418_keypad.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/input/keyboard/tca8418_keypad.c
++++ b/drivers/input/keyboard/tca8418_keypad.c
+@@ -189,8 +189,6 @@ static void tca8418_read_keypad(struct t
+ input_event(input, EV_MSC, MSC_SCAN, code);
+ input_report_key(input, keymap[code], state);
+
+- /* Read for next loop */
+- error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, ®);
+ } while (1);
+
+ input_sync(input);
--- /dev/null
+From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 7 Feb 2018 13:46:25 +0100
+Subject: netfilter: add back stackpointer size checks
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream.
+
+The rationale for removing the check is only correct for rulesets
+generated by ip(6)tables.
+
+In iptables, a jump can only occur to a user-defined chain, i.e.
+because we size the stack based on number of user-defined chains we
+cannot exceed stack size.
+
+However, the underlying binary format has no such restriction,
+and the validation step only ensures that the jump target is a
+valid rule start point.
+
+IOW, its possible to build a rule blob that has no user-defined
+chains but does contain a jump.
+
+If this happens, no jump stack gets allocated and crash occurs
+because no jumpstack was allocated.
+
+Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
+Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 4 ++++
+ net/ipv4/netfilter/ip_tables.c | 4 ++++
+ net/ipv6/netfilter/ip6_tables.c | 4 ++++
+ 3 files changed, 12 insertions(+)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -329,6 +329,10 @@ unsigned int arpt_do_table(struct sk_buf
+ }
+ if (table_base + v
+ != arpt_next_entry(e)) {
++ if (unlikely(stackidx >= private->stacksize)) {
++ verdict = NF_DROP;
++ break;
++ }
+ jumpstack[stackidx++] = e;
+ }
+
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -408,6 +408,10 @@ ipt_do_table(struct sk_buff *skb,
+ }
+ if (table_base + v != ipt_next_entry(e) &&
+ !(e->ip.flags & IPT_F_GOTO)) {
++ if (unlikely(stackidx >= private->stacksize)) {
++ verdict = NF_DROP;
++ break;
++ }
+ jumpstack[stackidx++] = e;
+ pr_debug("Pushed %p into pos %u\n",
+ e, stackidx - 1);
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -425,6 +425,10 @@ ip6t_do_table(struct sk_buff *skb,
+ }
+ if (table_base + v != ip6t_next_entry(e) &&
+ !(e->ipv6.flags & IP6T_F_GOTO)) {
++ if (unlikely(stackidx >= private->stacksize)) {
++ verdict = NF_DROP;
++ break;
++ }
+ jumpstack[stackidx++] = e;
+ }
+
--- /dev/null
+From c4585a2823edf4d1326da44d1524ecbfda26bb37 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Feb 2018 03:01:45 +0100
+Subject: netfilter: bridge: ebt_among: add missing match size checks
+
+From: Florian Westphal <fw@strlen.de>
+
+commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream.
+
+ebt_among is special, it has a dynamic match size and is exempt
+from the central size checks.
+
+Therefore it must check that the size of the match structure
+provided from userspace is sane by making sure em->match_size
+is at least the minimum size of the expected structure.
+
+The module has such a check, but its only done after accessing
+a structure that might be out of bounds.
+
+tested with: ebtables -A INPUT ... \
+--among-dst fe:fe:fe:fe:fe:fe
+--among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe
+--among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe
+
+Reported-by: <syzbot+fe0b19af568972814355@syzkaller.appspotmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/net/bridge/netfilter/ebt_among.c
++++ b/net/bridge/netfilter/ebt_among.c
+@@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb,
+ return true;
+ }
+
++static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
++{
++ return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
++}
++
+ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
+ {
+ const struct ebt_among_info *info = par->matchinfo;
+ const struct ebt_entry_match *em =
+ container_of(par->matchinfo, const struct ebt_entry_match, data);
+- int expected_length = sizeof(struct ebt_among_info);
++ unsigned int expected_length = sizeof(struct ebt_among_info);
+ const struct ebt_mac_wormhash *wh_dst, *wh_src;
+ int err;
+
++ if (expected_length > em->match_size)
++ return -EINVAL;
++
+ wh_dst = ebt_among_wh_dst(info);
+- wh_src = ebt_among_wh_src(info);
++ if (poolsize_invalid(wh_dst))
++ return -EINVAL;
++
+ expected_length += ebt_mac_wormhash_size(wh_dst);
++ if (expected_length > em->match_size)
++ return -EINVAL;
++
++ wh_src = ebt_among_wh_src(info);
++ if (poolsize_invalid(wh_src))
++ return -EINVAL;
++
+ expected_length += ebt_mac_wormhash_size(wh_src);
+
+ if (em->match_size != EBT_ALIGN(expected_length)) {
--- /dev/null
+From b71812168571fa55e44cdd0254471331b9c4c4c6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Feb 2018 01:24:15 +0100
+Subject: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
+
+From: Florian Westphal <fw@strlen.de>
+
+commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream.
+
+We need to make sure the offsets are not out of range of the
+total size.
+Also check that they are in ascending order.
+
+The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
+changed to also bail out, no point in continuing parsing.
+
+Briefly tested with simple ruleset of
+-A INPUT --limit 1/s' --log
+plus jump to custom chains using 32bit ebtables binary.
+
+Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2021,7 +2021,9 @@ static int ebt_size_mwt(struct compat_eb
+ if (match_kern)
+ match_kern->match_size = ret;
+
+- WARN_ON(type == EBT_COMPAT_TARGET && size_left);
++ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
++ return -EINVAL;
++
+ match32 = (struct compat_ebt_entry_mwt *) buf;
+ }
+
+@@ -2078,6 +2080,15 @@ static int size_entry_mwt(struct ebt_ent
+ *
+ * offsets are relative to beginning of struct ebt_entry (i.e., 0).
+ */
++ for (i = 0; i < 4 ; ++i) {
++ if (offsets[i] >= *total)
++ return -EINVAL;
++ if (i == 0)
++ continue;
++ if (offsets[i-1] > offsets[i])
++ return -EINVAL;
++ }
++
+ for (i = 0, j = 1 ; j < 4 ; j++, i++) {
+ struct compat_ebt_entry_mwt *match32;
+ unsigned int size;
--- /dev/null
+From cfc2c740533368b96e2be5e0a4e8c3cace7d9814 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 16 Feb 2018 19:36:28 -0800
+Subject: netfilter: IDLETIMER: be syzkaller friendly
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit cfc2c740533368b96e2be5e0a4e8c3cace7d9814 upstream.
+
+We had one report from syzkaller [1]
+
+First issue is that INIT_WORK() should be done before mod_timer()
+or we risk timer being fired too soon, even with a 1 second timer.
+
+Second issue is that we need to reject too big info->timeout
+to avoid overflows in msecs_to_jiffies(info->timeout * 1000), or
+risk looping, if result after overflow is 0.
+
+[1]
+WARNING: CPU: 1 PID: 5129 at kernel/workqueue.c:1444 __queue_work+0xdf4/0x1230 kernel/workqueue.c:1444
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 1 PID: 5129 Comm: syzkaller159866 Not tainted 4.16.0-rc1+ #230
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ panic+0x1e4/0x41c kernel/panic.c:183
+ __warn+0x1dc/0x200 kernel/panic.c:547
+ report_bug+0x211/0x2d0 lib/bug.c:184
+ fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
+ fixup_bug arch/x86/kernel/traps.c:247 [inline]
+ do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
+ do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
+ invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:988
+RIP: 0010:__queue_work+0xdf4/0x1230 kernel/workqueue.c:1444
+RSP: 0018:ffff8801db507538 EFLAGS: 00010006
+RAX: ffff8801aeb46080 RBX: ffff8801db530200 RCX: ffffffff81481404
+RDX: 0000000000000100 RSI: ffffffff86b42640 RDI: 0000000000000082
+RBP: ffff8801db507758 R08: 1ffff1003b6a0de5 R09: 000000000000000c
+R10: ffff8801db5073f0 R11: 0000000000000020 R12: 1ffff1003b6a0eb6
+R13: ffff8801b1067ae0 R14: 00000000000001f8 R15: dffffc0000000000
+ queue_work_on+0x16a/0x1c0 kernel/workqueue.c:1488
+ queue_work include/linux/workqueue.h:488 [inline]
+ schedule_work include/linux/workqueue.h:546 [inline]
+ idletimer_tg_expired+0x44/0x60 net/netfilter/xt_IDLETIMER.c:116
+ call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
+ expire_timers kernel/time/timer.c:1363 [inline]
+ __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
+ run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
+ __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1cc/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:541 [inline]
+ smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:829
+ </IRQ>
+RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:777 [inline]
+RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
+RIP: 0010:_raw_spin_unlock_irqrestore+0x5e/0xba kernel/locking/spinlock.c:184
+RSP: 0018:ffff8801c20173c8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff12
+RAX: dffffc0000000000 RBX: 0000000000000282 RCX: 0000000000000006
+RDX: 1ffffffff0d592cd RSI: 1ffff10035d68d23 RDI: 0000000000000282
+RBP: ffff8801c20173d8 R08: 1ffff10038402e47 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8820e5c8
+R13: ffff8801b1067ad8 R14: ffff8801aea7c268 R15: ffff8801aea7c278
+ __debug_object_init+0x235/0x1040 lib/debugobjects.c:378
+ debug_object_init+0x17/0x20 lib/debugobjects.c:391
+ __init_work+0x2b/0x60 kernel/workqueue.c:506
+ idletimer_tg_create net/netfilter/xt_IDLETIMER.c:152 [inline]
+ idletimer_tg_checkentry+0x691/0xb00 net/netfilter/xt_IDLETIMER.c:213
+ xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:850
+ check_target net/ipv6/netfilter/ip6_tables.c:533 [inline]
+ find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:575
+ translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:744
+ do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
+ do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
+ ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927
+ udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
+ sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2976
+ SYSC_setsockopt net/socket.c:1850 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1829
+ do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
+
+Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_IDLETIMER.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/xt_IDLETIMER.c
++++ b/net/netfilter/xt_IDLETIMER.c
+@@ -147,11 +147,11 @@ static int idletimer_tg_create(struct id
+ (unsigned long) info->timer);
+ info->timer->refcnt = 1;
+
++ INIT_WORK(&info->timer->work, idletimer_tg_work);
++
+ mod_timer(&info->timer->timer,
+ msecs_to_jiffies(info->timeout * 1000) + jiffies);
+
+- INIT_WORK(&info->timer->work, idletimer_tg_work);
+-
+ return 0;
+
+ out_free_attr:
+@@ -192,7 +192,10 @@ static int idletimer_tg_checkentry(const
+ pr_debug("timeout value is zero\n");
+ return -EINVAL;
+ }
+-
++ if (info->timeout >= INT_MAX / 1000) {
++ pr_debug("timeout value is too big\n");
++ return -EINVAL;
++ }
+ if (info->label[0] == '\0' ||
+ strnlen(info->label,
+ MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) {
--- /dev/null
+From b078556aecd791b0e5cb3a59f4c3a14273b52121 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Feb 2018 08:10:17 +0100
+Subject: netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
+
+From: Florian Westphal <fw@strlen.de>
+
+commit b078556aecd791b0e5cb3a59f4c3a14273b52121 upstream.
+
+l4proto->manip_pkt() can cause reallocation of skb head so pointer
+to the ipv6 header must be reloaded.
+
+Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
+Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct
+ !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
+ target, maniptype))
+ return false;
++
++ /* must reload, offset might have changed */
++ ipv6h = (void *)skb->data + iphdroff;
++
+ manip_addr:
+ if (maniptype == NF_NAT_MANIP_SRC)
+ ipv6h->saddr = target->src.u3.in6;
--- /dev/null
+From db57ccf0f2f4624b4c4758379f8165277504fbd7 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 14 Feb 2018 17:21:19 +0100
+Subject: netfilter: nat: cope with negative port range
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit db57ccf0f2f4624b4c4758379f8165277504fbd7 upstream.
+
+syzbot reported a division by 0 bug in the netfilter nat code:
+
+divide error: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:nf_nat_l4proto_unique_tuple+0x291/0x530
+net/netfilter/nf_nat_proto_common.c:88
+RSP: 0018:ffff8801b2466778 EFLAGS: 00010246
+RAX: 000000000000f153 RBX: ffff8801b2466dd8 RCX: ffff8801b2466c7c
+RDX: 0000000000000000 RSI: ffff8801b2466c58 RDI: ffff8801db5293ac
+RBP: ffff8801b24667d8 R08: ffff8801b8ba6dc0 R09: ffffffff88af5900
+R10: ffff8801b24666f0 R11: 0000000000000000 R12: 000000002990f153
+R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801b2466c7c
+FS: 00000000017e3880(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000208fdfe4 CR3: 00000001b5340002 CR4: 00000000001606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ dccp_unique_tuple+0x40/0x50 net/netfilter/nf_nat_proto_dccp.c:30
+ get_unique_tuple+0xc28/0x1c10 net/netfilter/nf_nat_core.c:362
+ nf_nat_setup_info+0x1c2/0xe00 net/netfilter/nf_nat_core.c:406
+ nf_nat_redirect_ipv6+0x306/0x730 net/netfilter/nf_nat_redirect.c:124
+ redirect_tg6+0x7f/0xb0 net/netfilter/xt_REDIRECT.c:34
+ ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365
+ ip6table_nat_do_chain+0x65/0x80 net/ipv6/netfilter/ip6table_nat.c:41
+ nf_nat_ipv6_fn+0x594/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:302
+ nf_nat_ipv6_local_fn+0x33/0x5d0
+net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407
+ ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69
+ nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
+ nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
+ nf_hook include/linux/netfilter.h:243 [inline]
+ NF_HOOK include/linux/netfilter.h:286 [inline]
+ ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277
+ inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
+ dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142
+ dccp_connect+0x369/0x670 net/dccp/output.c:564
+ dccp_v6_connect+0xe17/0x1bf0 net/dccp/ipv6.c:946
+ __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620
+ inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684
+ SYSC_connect+0x213/0x4a0 net/socket.c:1639
+ SyS_connect+0x24/0x30 net/socket.c:1620
+ do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x26/0x9b
+RIP: 0033:0x441c69
+RSP: 002b:00007ffe50cc0be8 EFLAGS: 00000217 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000441c69
+RDX: 000000000000001c RSI: 00000000208fdfe4 RDI: 0000000000000003
+RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000538 R11: 0000000000000217 R12: 0000000000403590
+R13: 0000000000403620 R14: 0000000000000000 R15: 0000000000000000
+Code: 48 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 46 02 00 00 48 8b
+45 c8 44 0f b7 20 e8 88 97 04 fd 31 d2 41 0f b7 c4 4c 89 f9 <41> f7 f6 48
+c1 e9 03 48 b8 00 00 00 00 00 fc ff df 0f b6 0c 01
+RIP: nf_nat_l4proto_unique_tuple+0x291/0x530
+net/netfilter/nf_nat_proto_common.c:88 RSP: ffff8801b2466778
+
+The problem is that currently we don't have any check on the
+configured port range. A port range == -1 triggers the bug, while
+other negative values may require a very long time to complete the
+following loop.
+
+This commit addresses the issue swapping the two ends on negative
+ranges. The check is performed in nf_nat_l4proto_unique_tuple() since
+the nft nat loads the port values from nft registers at runtime.
+
+v1 -> v2: use the correct 'Fixes' tag
+v2 -> v3: update commit message, drop unneeded READ_ONCE()
+
+Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack")
+Reported-by: syzbot+8012e198bd037f4871e5@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_nat_proto_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_nat_proto_common.c
++++ b/net/netfilter/nf_nat_proto_common.c
+@@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const s
+ const struct nf_conn *ct,
+ u16 *rover)
+ {
+- unsigned int range_size, min, i;
++ unsigned int range_size, min, max, i;
+ __be16 *portptr;
+ u_int16_t off;
+
+@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const s
+ }
+ } else {
+ min = ntohs(range->min_proto.all);
+- range_size = ntohs(range->max_proto.all) - min + 1;
++ max = ntohs(range->max_proto.all);
++ if (unlikely(max < min))
++ swap(max, min);
++ range_size = max - min + 1;
+ }
+
+ if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
--- /dev/null
+From 29e09229d9f26129a39462fae0ddabc4d9533989 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 17 Feb 2017 08:39:28 +0100
+Subject: netfilter: use skb_to_full_sk in ip_route_me_harder
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 29e09229d9f26129a39462fae0ddabc4d9533989 upstream.
+
+inet_sk(skb->sk) is illegal in case skb is attached to request socket.
+
+Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
+Reported by: Daniel J Blueman <daniel@quora.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Tested-by: Daniel J Blueman <daniel@quora.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -23,7 +23,8 @@ int ip_route_me_harder(struct net *net,
+ struct rtable *rt;
+ struct flowi4 fl4 = {};
+ __be32 saddr = iph->saddr;
+- __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
++ const struct sock *sk = skb_to_full_sk(skb);
++ __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0;
+ unsigned int hh_len;
+
+ if (addr_type == RTN_UNSPEC)
+@@ -39,7 +40,7 @@ int ip_route_me_harder(struct net *net,
+ fl4.daddr = iph->daddr;
+ fl4.saddr = saddr;
+ fl4.flowi4_tos = RT_TOS(iph->tos);
+- fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
++ fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0;
+ fl4.flowi4_mark = skb->mark;
+ fl4.flowi4_flags = flags;
+ rt = ip_route_output_key(net, &fl4);
+@@ -58,7 +59,7 @@ int ip_route_me_harder(struct net *net,
+ xfrm_decode_session(skb, flowi4_to_flowi(&fl4), AF_INET) == 0) {
+ struct dst_entry *dst = skb_dst(skb);
+ skb_dst_set(skb, NULL);
+- dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), skb->sk, 0);
++ dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), sk, 0);
+ if (IS_ERR(dst))
+ return PTR_ERR(dst);
+ skb_dst_set(skb, dst);
--- /dev/null
+From 10414014bc085aac9f787a5890b33b5605fbcfc4 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 12 Feb 2018 18:49:39 +0100
+Subject: netfilter: x_tables: fix missing timer initialization in xt_LED
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 10414014bc085aac9f787a5890b33b5605fbcfc4 upstream.
+
+syzbot reported that xt_LED may try to use the ledinternal->timer
+without previously initializing it:
+
+------------[ cut here ]------------
+kernel BUG at kernel/time/timer.c:958!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 1826 Comm: kworker/1:2 Not tainted 4.15.0+ #306
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Workqueue: ipv6_addrconf addrconf_dad_work
+RIP: 0010:__mod_timer kernel/time/timer.c:958 [inline]
+RIP: 0010:mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102
+RSP: 0018:ffff8801d24fe9f8 EFLAGS: 00010293
+RAX: ffff8801d25246c0 RBX: ffff8801aec6cb50 RCX: ffffffff816052c6
+RDX: 0000000000000000 RSI: 00000000fffbd14b RDI: ffff8801aec6cb68
+RBP: ffff8801d24fec98 R08: 0000000000000000 R09: 1ffff1003a49fd6c
+R10: ffff8801d24feb28 R11: 0000000000000005 R12: dffffc0000000000
+R13: ffff8801d24fec70 R14: 00000000fffbd14b R15: ffff8801af608f90
+FS: 0000000000000000(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000206d6fd0 CR3: 0000000006a22001 CR4: 00000000001606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ led_tg+0x1db/0x2e0 net/netfilter/xt_LED.c:75
+ ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365
+ ip6table_raw_hook+0x65/0x80 net/ipv6/netfilter/ip6table_raw.c:42
+ nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
+ nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
+ nf_hook.constprop.27+0x3f6/0x830 include/linux/netfilter.h:243
+ NF_HOOK include/linux/netfilter.h:286 [inline]
+ ndisc_send_skb+0xa51/0x1370 net/ipv6/ndisc.c:491
+ ndisc_send_ns+0x38a/0x870 net/ipv6/ndisc.c:633
+ addrconf_dad_work+0xb9e/0x1320 net/ipv6/addrconf.c:4008
+ process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
+ worker_thread+0x223/0x1990 kernel/workqueue.c:2247
+ kthread+0x33c/0x400 kernel/kthread.c:238
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
+Code: 85 2a 0b 00 00 4d 8b 3c 24 4d 85 ff 75 9f 4c 8b bd 60 fd ff ff e8 bb
+57 10 00 65 ff 0d 94 9a a1 7e e9 d9 fc ff ff e8 aa 57 10 00 <0f> 0b e8 a3
+57 10 00 e9 14 fb ff ff e8 99 57 10 00 4c 89 bd 70
+RIP: __mod_timer kernel/time/timer.c:958 [inline] RSP: ffff8801d24fe9f8
+RIP: mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102 RSP: ffff8801d24fe9f8
+---[ end trace f661ab06f5dd8b3d ]---
+
+The ledinternal struct can be shared between several different
+xt_LED targets, but the related timer is currently initialized only
+if the first target requires it. Fix it by unconditionally
+initializing the timer struct.
+
+v1 -> v2: call del_timer_sync() unconditionally, too.
+
+Fixes: 268cb38e1802 ("netfilter: x_tables: add LED trigger target")
+Reported-by: syzbot+10c98dc5725c6c8fc7fb@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_LED.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/xt_LED.c
++++ b/net/netfilter/xt_LED.c
+@@ -141,10 +141,11 @@ static int led_tg_check(const struct xt_
+ goto exit_alloc;
+ }
+
+- /* See if we need to set up a timer */
+- if (ledinfo->delay > 0)
+- setup_timer(&ledinternal->timer, led_timeout_callback,
+- (unsigned long)ledinternal);
++ /* Since the letinternal timer can be shared between multiple targets,
++ * always set it up, even if the current target does not need it
++ */
++ setup_timer(&ledinternal->timer, led_timeout_callback,
++ (unsigned long)ledinternal);
+
+ list_add_tail(&ledinternal->list, &xt_led_triggers);
+
+@@ -181,8 +182,7 @@ static void led_tg_destroy(const struct
+
+ list_del(&ledinternal->list);
+
+- if (ledinfo->delay > 0)
+- del_timer_sync(&ledinternal->timer);
++ del_timer_sync(&ledinternal->timer);
+
+ led_trigger_unregister(&ledinternal->netfilter_led_trigger);
+
watchdog-hpwdt-check-source-of-nmi.patch
watchdog-hpwdt-fix-unused-variable-warning.patch
netfilter-nfnetlink_queue-fix-timestamp-attribute.patch
+arm-omap2-hide-omap3_save_secure_ram-on-non-omap3-builds.patch
+input-tca8418_keypad-remove-double-read-of-key-event-register.patch
+tc358743-fix-register-i2c_rd-wr-function-fix.patch
+netfilter-add-back-stackpointer-size-checks.patch
+netfilter-x_tables-fix-missing-timer-initialization-in-xt_led.patch
+netfilter-nat-cope-with-negative-port-range.patch
+netfilter-idletimer-be-syzkaller-friendly.patch
+netfilter-ebtables-config_compat-don-t-trust-userland-offsets.patch
+netfilter-bridge-ebt_among-add-missing-match-size-checks.patch
+netfilter-ipv6-fix-use-after-free-write-in-nf_nat_ipv6_manip_pkt.patch
+netfilter-use-skb_to_full_sk-in-ip_route_me_harder.patch
--- /dev/null
+From f2c61f98e0b5f8b53b8fb860e5dcdd661bde7d0b Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Thu, 4 May 2017 12:20:17 -0300
+Subject: [media] tc358743: fix register i2c_rd/wr function fix
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+commit f2c61f98e0b5f8b53b8fb860e5dcdd661bde7d0b upstream.
+
+The below mentioned fix contains a small but severe bug,
+fix it to make the driver work again.
+
+Fixes: 3538aa6ecfb2 ("[media] tc358743: fix register i2c_rd/wr functions")
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/tc358743.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -226,7 +226,7 @@ static void i2c_wr8(struct v4l2_subdev *
+ static void i2c_wr8_and_or(struct v4l2_subdev *sd, u16 reg,
+ u8 mask, u8 val)
+ {
+- i2c_wrreg(sd, reg, (i2c_rdreg(sd, reg, 2) & mask) | val, 2);
++ i2c_wrreg(sd, reg, (i2c_rdreg(sd, reg, 1) & mask) | val, 1);
+ }
+
+ static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg)
projects / thirdparty / kernel / stable-queue.git / commitdiff
