--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 22 Apr 2018 19:11:50 +0800
+Subject: bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ddea788c63094f7c483783265563dd5b50052e28 ]
+
+After Commit 8a8efa22f51b ("bonding: sync netpoll code with bridge"), it
+would set slave_dev npinfo in slave_enable_netpoll when enslaving a dev
+if bond->dev->npinfo was set.
+
+However now slave_dev npinfo is set with bond->dev->npinfo before calling
+slave_enable_netpoll. With slave_dev npinfo set, __netpoll_setup called
+in slave_enable_netpoll will not call slave dev's .ndo_netpoll_setup().
+It causes that the lower dev of this slave dev can't set its npinfo.
+
+One way to reproduce it:
+
+ # modprobe bonding
+ # brctl addbr br0
+ # brctl addif br0 eth1
+ # ifconfig bond0 192.168.122.1/24 up
+ # ifenslave bond0 eth2
+ # systemctl restart netconsole
+ # ifenslave bond0 br0
+ # ifconfig eth2 down
+ # systemctl restart netconsole
+
+The netpoll won't really work.
+
+This patch is to remove that slave_dev npinfo setting in bond_enslave().
+
+Fixes: 8a8efa22f51b ("bonding: sync netpoll code with bridge")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1654,8 +1654,7 @@ int bond_enslave(struct net_device *bond
+ } /* switch(bond_mode) */
+
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+- slave_dev->npinfo = bond->dev->npinfo;
+- if (slave_dev->npinfo) {
++ if (bond->dev->npinfo) {
+ if (slave_enable_netpoll(new_slave)) {
+ netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n");
+ res = -EBUSY;
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 22 Apr 2018 18:29:23 -0700
+Subject: ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 ]
+
+KMSAN reported use of uninit-value that I tracked to lack
+of proper size check on RTA_TABLE attribute.
+
+I also believe RTA_PREFSRC lacks a similar check.
+
+Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config")
+Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2811,6 +2811,7 @@ void rt6_mtu_change(struct net_device *d
+
+ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
+ [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) },
++ [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) },
+ [RTA_OIF] = { .type = NLA_U32 },
+ [RTA_IIF] = { .type = NLA_U32 },
+ [RTA_PRIORITY] = { .type = NLA_U32 },
+@@ -2820,6 +2821,7 @@ static const struct nla_policy rtm_ipv6_
+ [RTA_ENCAP_TYPE] = { .type = NLA_U16 },
+ [RTA_ENCAP] = { .type = NLA_NESTED },
+ [RTA_EXPIRES] = { .type = NLA_U32 },
++ [RTA_TABLE] = { .type = NLA_U32 },
+ };
+
+ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 17 Apr 2018 12:07:06 -0700
+Subject: KEYS: DNS: limit the length of option strings
+
+From: Eric Biggers <ebiggers@google.com>
+
+
+[ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ]
+
+Adding a dns_resolver key whose payload contains a very long option name
+resulted in that string being printed in full. This hit the WARN_ONCE()
+in set_precision() during the printk(), because printk() only supports a
+precision of up to 32767 bytes:
+
+ precision 1000000 too large
+ WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0
+
+Fix it by limiting option strings (combined name + value) to a much more
+reasonable 128 bytes. The exact limit is arbitrary, but currently the
+only recognized option is formatted as "dnserror=%lu" which fits well
+within this limit.
+
+Also ratelimit the printks.
+
+Reproducer:
+
+ perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s
+
+This bug was found using syzkaller.
+
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dns_resolver/dns_key.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -25,6 +25,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
++#include <linux/ratelimit.h>
+ #include <linux/kernel.h>
+ #include <linux/keyctl.h>
+ #include <linux/err.h>
+@@ -91,9 +92,9 @@ dns_resolver_preparse(struct key_prepars
+
+ next_opt = memchr(opt, '#', end - opt) ?: end;
+ opt_len = next_opt - opt;
+- if (!opt_len) {
+- printk(KERN_WARNING
+- "Empty option to dns_resolver key\n");
++ if (opt_len <= 0 || opt_len > 128) {
++ pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
++ opt_len);
+ return -EINVAL;
+ }
+
+@@ -127,10 +128,8 @@ dns_resolver_preparse(struct key_prepars
+ }
+
+ bad_option_value:
+- printk(KERN_WARNING
+- "Option '%*.*s' to dns_resolver key:"
+- " bad/missing value\n",
+- opt_nlen, opt_nlen, opt);
++ pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n",
++ opt_nlen, opt_nlen, opt);
+ return -EINVAL;
+ } while (opt = next_opt + 1, opt < end);
+ }
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 23 Apr 2018 16:15:14 +0200
+Subject: l2tp: check sockaddr length in pppol2tp_connect()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ]
+
+Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that
+it actually points to valid data.
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -590,6 +590,13 @@ static int pppol2tp_connect(struct socke
+ lock_sock(sk);
+
+ error = -EINVAL;
++
++ if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6))
++ goto end;
++
+ if (sp->sa_protocol != PX_PROTO_OL2TP)
+ goto end;
+
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 19 Apr 2018 12:25:38 -0700
+Subject: llc: delete timers synchronously in llc_sk_free()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit b905ef9ab90115d001c1658259af4b1c65088779 ]
+
+The connection timers of an llc sock could be still flying
+after we delete them in llc_sk_free(), and even possibly
+after we free the sock. We could just wait synchronously
+here in case of troubles.
+
+Note, I leave other call paths as they are, since they may
+not have to wait, at least we can change them to synchronously
+when needed.
+
+Also, move the code to net/llc/llc_conn.c, which is apparently
+a better place.
+
+Reported-by: <syzbot+f922284c18ea23a8e457@syzkaller.appspotmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/llc_conn.h | 1 +
+ net/llc/llc_c_ac.c | 9 +--------
+ net/llc/llc_conn.c | 22 +++++++++++++++++++++-
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+--- a/include/net/llc_conn.h
++++ b/include/net/llc_conn.h
+@@ -97,6 +97,7 @@ static __inline__ char llc_backlog_type(
+
+ struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority,
+ struct proto *prot, int kern);
++void llc_sk_stop_all_timers(struct sock *sk, bool sync);
+ void llc_sk_free(struct sock *sk);
+
+ void llc_sk_reset(struct sock *sk);
+--- a/net/llc/llc_c_ac.c
++++ b/net/llc/llc_c_ac.c
+@@ -1096,14 +1096,7 @@ int llc_conn_ac_inc_tx_win_size(struct s
+
+ int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb)
+ {
+- struct llc_sock *llc = llc_sk(sk);
+-
+- del_timer(&llc->pf_cycle_timer.timer);
+- del_timer(&llc->ack_timer.timer);
+- del_timer(&llc->rej_sent_timer.timer);
+- del_timer(&llc->busy_state_timer.timer);
+- llc->ack_must_be_send = 0;
+- llc->ack_pf = 0;
++ llc_sk_stop_all_timers(sk, false);
+ return 0;
+ }
+
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -951,6 +951,26 @@ out:
+ return sk;
+ }
+
++void llc_sk_stop_all_timers(struct sock *sk, bool sync)
++{
++ struct llc_sock *llc = llc_sk(sk);
++
++ if (sync) {
++ del_timer_sync(&llc->pf_cycle_timer.timer);
++ del_timer_sync(&llc->ack_timer.timer);
++ del_timer_sync(&llc->rej_sent_timer.timer);
++ del_timer_sync(&llc->busy_state_timer.timer);
++ } else {
++ del_timer(&llc->pf_cycle_timer.timer);
++ del_timer(&llc->ack_timer.timer);
++ del_timer(&llc->rej_sent_timer.timer);
++ del_timer(&llc->busy_state_timer.timer);
++ }
++
++ llc->ack_must_be_send = 0;
++ llc->ack_pf = 0;
++}
++
+ /**
+ * llc_sk_free - Frees a LLC socket
+ * @sk - socket to free
+@@ -963,7 +983,7 @@ void llc_sk_free(struct sock *sk)
+
+ llc->state = LLC_CONN_OUT_OF_SVC;
+ /* Stop all (possibly) running timers */
+- llc_conn_ac_stop_all_timers(sk, NULL);
++ llc_sk_stop_all_timers(sk, true);
+ #ifdef DEBUG_LLC_CONN_ALLOC
+ printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__,
+ skb_queue_len(&llc->pdu_unack_q),
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 19 Apr 2018 21:54:34 -0700
+Subject: llc: fix NULL pointer deref for SOCK_ZAPPED
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ]
+
+For SOCK_ZAPPED socket, we don't need to care about llc->sap,
+so we should just skip these refcount functions in this case.
+
+Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -187,7 +187,6 @@ static int llc_ui_release(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc;
+- struct llc_sap *sap;
+
+ if (unlikely(sk == NULL))
+ goto out;
+@@ -198,15 +197,19 @@ static int llc_ui_release(struct socket
+ llc->laddr.lsap, llc->daddr.lsap);
+ if (!llc_send_disc(sk))
+ llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
+- sap = llc->sap;
+- /* Hold this for release_sock(), so that llc_backlog_rcv() could still
+- * use it.
+- */
+- llc_sap_hold(sap);
+- if (!sock_flag(sk, SOCK_ZAPPED))
++ if (!sock_flag(sk, SOCK_ZAPPED)) {
++ struct llc_sap *sap = llc->sap;
++
++ /* Hold this for release_sock(), so that llc_backlog_rcv()
++ * could still use it.
++ */
++ llc_sap_hold(sap);
+ llc_sap_remove_socket(llc->sap, sk);
+- release_sock(sk);
+- llc_sap_put(sap);
++ release_sock(sk);
++ llc_sap_put(sap);
++ } else {
++ release_sock(sk);
++ }
+ if (llc->dev)
+ dev_put(llc->dev);
+ sock_put(sk);
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 18 Apr 2018 11:51:56 -0700
+Subject: llc: hold llc_sap before release_sock()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ]
+
+syzbot reported we still access llc->sap in llc_backlog_rcv()
+after it is freed in llc_sap_remove_socket():
+
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
+ llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
+ llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
+ llc_conn_service net/llc/llc_conn.c:400 [inline]
+ llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
+ llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
+ sk_backlog_rcv include/net/sock.h:909 [inline]
+ __release_sock+0x12f/0x3a0 net/core/sock.c:2335
+ release_sock+0xa4/0x2b0 net/core/sock.c:2850
+ llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
+
+llc->sap is refcount'ed and llc_sap_remove_socket() is paired
+with llc_sap_add_socket(). This can be amended by holding its refcount
+before llc_sap_remove_socket() and releasing it after release_sock().
+
+Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -187,6 +187,7 @@ static int llc_ui_release(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc;
++ struct llc_sap *sap;
+
+ if (unlikely(sk == NULL))
+ goto out;
+@@ -197,9 +198,15 @@ static int llc_ui_release(struct socket
+ llc->laddr.lsap, llc->daddr.lsap);
+ if (!llc_send_disc(sk))
+ llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
++ sap = llc->sap;
++ /* Hold this for release_sock(), so that llc_backlog_rcv() could still
++ * use it.
++ */
++ llc_sap_hold(sap);
+ if (!sock_flag(sk, SOCK_ZAPPED))
+ llc_sap_remove_socket(llc->sap, sk);
+ release_sock(sk);
++ llc_sap_put(sap);
+ if (llc->dev)
+ dev_put(llc->dev);
+ sock_put(sk);
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 15 Apr 2018 17:52:04 -0700
+Subject: net: af_packet: fix race in PACKET_{R|T}X_RING
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ]
+
+In order to remove the race caught by syzbot [1], we need
+to lock the socket before using po->tp_version as this could
+change under us otherwise.
+
+This means lock_sock() and release_sock() must be done by
+packet_set_ring() callers.
+
+[1] :
+BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
+CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
+ packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662
+ SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
+ SyS_setsockopt+0x76/0xa0 net/socket.c:1828
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x449099
+RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099
+RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003
+RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000
+R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001
+
+Local variable description: ----req_u@packet_setsockopt
+Variable was created at:
+ packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612
+ SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3024,6 +3024,7 @@ static int packet_release(struct socket
+
+ packet_flush_mclist(sk);
+
++ lock_sock(sk);
+ if (po->rx_ring.pg_vec) {
+ memset(&req_u, 0, sizeof(req_u));
+ packet_set_ring(sk, &req_u, 1, 0);
+@@ -3033,6 +3034,7 @@ static int packet_release(struct socket
+ memset(&req_u, 0, sizeof(req_u));
+ packet_set_ring(sk, &req_u, 1, 1);
+ }
++ release_sock(sk);
+
+ f = fanout_release(sk);
+
+@@ -3661,6 +3663,7 @@ packet_setsockopt(struct socket *sock, i
+ union tpacket_req_u req_u;
+ int len;
+
++ lock_sock(sk);
+ switch (po->tp_version) {
+ case TPACKET_V1:
+ case TPACKET_V2:
+@@ -3671,12 +3674,17 @@ packet_setsockopt(struct socket *sock, i
+ len = sizeof(req_u.req3);
+ break;
+ }
+- if (optlen < len)
+- return -EINVAL;
+- if (copy_from_user(&req_u.req, optval, len))
+- return -EFAULT;
+- return packet_set_ring(sk, &req_u, 0,
+- optname == PACKET_TX_RING);
++ if (optlen < len) {
++ ret = -EINVAL;
++ } else {
++ if (copy_from_user(&req_u.req, optval, len))
++ ret = -EFAULT;
++ else
++ ret = packet_set_ring(sk, &req_u, 0,
++ optname == PACKET_TX_RING);
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_COPY_THRESH:
+ {
+@@ -4247,7 +4255,6 @@ static int packet_set_ring(struct sock *
+ /* Added to avoid minimal code churn */
+ struct tpacket_req *req = &req_u->req;
+
+- lock_sock(sk);
+ /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
+ if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
+ net_warn_ratelimited("Tx-ring is not supported.\n");
+@@ -4383,7 +4390,6 @@ static int packet_set_ring(struct sock *
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
+- release_sock(sk);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Date: Thu, 19 Apr 2018 22:49:09 +0300
+Subject: net: ethernet: ti: cpsw: fix tx vlan priority mapping
+
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+
+
+[ Upstream commit 5e391dc5a8d801a2410d0032ad4a428d1d61800c ]
+
+The CPDMA_TX_PRIORITY_MAP in real is vlan pcp field priority mapping
+register and basically replaces vlan pcp field for tagged packets.
+So, set it to be 1:1 mapping. Otherwise, it will cause unexpected
+change of egress vlan tagged packets, like prio 2 -> prio 5.
+
+Fixes: e05107e6b747 ("net: ethernet: ti: cpsw: add multi queue support")
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -124,7 +124,7 @@ do { \
+
+ #define RX_PRIORITY_MAPPING 0x76543210
+ #define TX_PRIORITY_MAPPING 0x33221100
+-#define CPDMA_TX_PRIORITY_MAP 0x01234567
++#define CPDMA_TX_PRIORITY_MAP 0x76543210
+
+ #define CPSW_VLAN_AWARE BIT(1)
+ #define CPSW_ALE_VLAN_AWARE 1
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 12 Apr 2018 10:46:55 +0200
+Subject: net: fix deadlock while clearing neighbor proxy table
+
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+
+
+[ Upstream commit 53b76cdf7e8fecec1d09e38aad2f8579882591a8 ]
+
+When coming from ndisc_netdev_event() in net/ipv6/ndisc.c,
+neigh_ifdown() is called with &nd_tbl, locking this while
+clearing the proxy neighbor entries when eg. deleting an
+interface. Calling the table's pndisc_destructor() with the
+lock still held, however, can cause a deadlock: When a
+multicast listener is available an IGMP packet of type
+ICMPV6_MGM_REDUCTION may be sent out. When reaching
+ip6_finish_output2(), if no neighbor entry for the target
+address is found, __neigh_create() is called with &nd_tbl,
+which it'll want to lock.
+
+Move the elements into their own list, then unlock the table
+and perform the destruction.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289
+Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -54,7 +54,8 @@ do { \
+ static void neigh_timer_handler(unsigned long arg);
+ static void __neigh_notify(struct neighbour *n, int type, int flags);
+ static void neigh_update_notify(struct neighbour *neigh);
+-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev);
++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
++ struct net_device *dev);
+
+ #ifdef CONFIG_PROC_FS
+ static const struct file_operations neigh_stat_seq_fops;
+@@ -254,8 +255,7 @@ int neigh_ifdown(struct neigh_table *tbl
+ {
+ write_lock_bh(&tbl->lock);
+ neigh_flush_dev(tbl, dev);
+- pneigh_ifdown(tbl, dev);
+- write_unlock_bh(&tbl->lock);
++ pneigh_ifdown_and_unlock(tbl, dev);
+
+ del_timer_sync(&tbl->proxy_timer);
+ pneigh_queue_purge(&tbl->proxy_queue);
+@@ -645,9 +645,10 @@ int pneigh_delete(struct neigh_table *tb
+ return -ENOENT;
+ }
+
+-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
++ struct net_device *dev)
+ {
+- struct pneigh_entry *n, **np;
++ struct pneigh_entry *n, **np, *freelist = NULL;
+ u32 h;
+
+ for (h = 0; h <= PNEIGH_HASHMASK; h++) {
+@@ -655,16 +656,23 @@ static int pneigh_ifdown(struct neigh_ta
+ while ((n = *np) != NULL) {
+ if (!dev || n->dev == dev) {
+ *np = n->next;
+- if (tbl->pdestructor)
+- tbl->pdestructor(n);
+- if (n->dev)
+- dev_put(n->dev);
+- kfree(n);
++ n->next = freelist;
++ freelist = n;
+ continue;
+ }
+ np = &n->next;
+ }
+ }
++ write_unlock_bh(&tbl->lock);
++ while ((n = freelist)) {
++ freelist = n->next;
++ n->next = NULL;
++ if (tbl->pdestructor)
++ tbl->pdestructor(n);
++ if (n->dev)
++ dev_put(n->dev);
++ kfree(n);
++ }
+ return -ENOENT;
+ }
+
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Alexander Aring <aring@mojatatu.com>
+Date: Fri, 20 Apr 2018 15:15:03 -0400
+Subject: net: sched: ife: signal not finding metaid
+
+From: Alexander Aring <aring@mojatatu.com>
+
+
+[ Upstream commit f6cd14537ff9919081be19b9c53b9b19c0d3ea97 ]
+
+We need to record stats for received metadata that we dont know how
+to process. Have find_decode_metaid() return -ENOENT to capture this.
+
+Signed-off-by: Alexander Aring <aring@mojatatu.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -634,7 +634,7 @@ int find_decode_metaid(struct sk_buff *s
+ }
+ }
+
+- return 0;
++ return -ENOENT;
+ }
+
+ struct ifeheadr {
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Apr 2018 14:46:00 -0700
+Subject: net: validate attribute sizes in neigh_dump_table()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7dd07c143a4b54d050e748bee4b4b9e94a7b1744 ]
+
+Since neigh_dump_table() calls nlmsg_parse() without giving policy
+constraints, attributes can have arbirary size that we must validate
+
+Reported by syzbot/KMSAN :
+
+BUG: KMSAN: uninit-value in neigh_master_filtered net/core/neighbour.c:2292 [inline]
+BUG: KMSAN: uninit-value in neigh_dump_table net/core/neighbour.c:2348 [inline]
+BUG: KMSAN: uninit-value in neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438
+CPU: 1 PID: 3575 Comm: syzkaller268891 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ neigh_master_filtered net/core/neighbour.c:2292 [inline]
+ neigh_dump_table net/core/neighbour.c:2348 [inline]
+ neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438
+ netlink_dump+0x9ad/0x1540 net/netlink/af_netlink.c:2225
+ __netlink_dump_start+0x1167/0x12a0 net/netlink/af_netlink.c:2322
+ netlink_dump_start include/linux/netlink.h:214 [inline]
+ rtnetlink_rcv_msg+0x1435/0x1560 net/core/rtnetlink.c:4598
+ netlink_rcv_skb+0x355/0x5f0 net/netlink/af_netlink.c:2447
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4653
+ netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
+ netlink_unicast+0x1672/0x1750 net/netlink/af_netlink.c:1337
+ netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43fed9
+RSP: 002b:00007ffddbee2798 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fed9
+RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401800
+R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
+ netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 21fdd092acc7 ("net: Add support for filtering neigh dump by master device")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -2279,12 +2279,16 @@ static int neigh_dump_table(struct neigh
+
+ err = nlmsg_parse(nlh, sizeof(struct ndmsg), tb, NDA_MAX, NULL);
+ if (!err) {
+- if (tb[NDA_IFINDEX])
++ if (tb[NDA_IFINDEX]) {
++ if (nla_len(tb[NDA_IFINDEX]) != sizeof(u32))
++ return -EINVAL;
+ filter_idx = nla_get_u32(tb[NDA_IFINDEX]);
+-
+- if (tb[NDA_MASTER])
++ }
++ if (tb[NDA_MASTER]) {
++ if (nla_len(tb[NDA_MASTER]) != sizeof(u32))
++ return -EINVAL;
+ filter_master_idx = nla_get_u32(tb[NDA_MASTER]);
+-
++ }
+ if (filter_idx || filter_master_idx)
+ flags |= NLM_F_DUMP_FILTERED;
+ }
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 23 Apr 2018 17:37:03 -0400
+Subject: packet: fix bitfield update race
+
+From: Willem de Bruijn <willemb@google.com>
+
+
+[ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ]
+
+Updates to the bitfields in struct packet_sock are not atomic.
+Serialize these read-modify-write cycles.
+
+Move po->running into a separate variable. Its writes are protected by
+po->bind_lock (except for one startup case at packet_create). Also
+replace a textual precondition warning with lockdep annotation.
+
+All others are set only in packet_setsockopt. Serialize these
+updates by holding the socket lock. Analogous to other field updates,
+also hold the lock when testing whether a ring is active (pg_vec).
+
+Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg")
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Reported-by: Byoungyoung Lee <byoungyoung@purdue.edu>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 60 +++++++++++++++++++++++++++++++++++--------------
+ net/packet/internal.h | 10 ++++----
+ 2 files changed, 49 insertions(+), 21 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -333,11 +333,11 @@ static void packet_pick_tx_queue(struct
+ skb_set_queue_mapping(skb, queue_index);
+ }
+
+-/* register_prot_hook must be invoked with the po->bind_lock held,
++/* __register_prot_hook must be invoked through register_prot_hook
+ * or from a context in which asynchronous accesses to the packet
+ * socket is not possible (packet_create()).
+ */
+-static void register_prot_hook(struct sock *sk)
++static void __register_prot_hook(struct sock *sk)
+ {
+ struct packet_sock *po = pkt_sk(sk);
+
+@@ -352,8 +352,13 @@ static void register_prot_hook(struct so
+ }
+ }
+
+-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock
+- * held. If the sync parameter is true, we will temporarily drop
++static void register_prot_hook(struct sock *sk)
++{
++ lockdep_assert_held_once(&pkt_sk(sk)->bind_lock);
++ __register_prot_hook(sk);
++}
++
++/* If the sync parameter is true, we will temporarily drop
+ * the po->bind_lock and do a synchronize_net to make sure no
+ * asynchronous packet processing paths still refer to the elements
+ * of po->prot_hook. If the sync parameter is false, it is the
+@@ -363,6 +368,8 @@ static void __unregister_prot_hook(struc
+ {
+ struct packet_sock *po = pkt_sk(sk);
+
++ lockdep_assert_held_once(&po->bind_lock);
++
+ po->running = 0;
+
+ if (po->fanout)
+@@ -3259,7 +3266,7 @@ static int packet_create(struct net *net
+
+ if (proto) {
+ po->prot_hook.type = proto;
+- register_prot_hook(sk);
++ __register_prot_hook(sk);
+ }
+
+ mutex_lock(&net->packet.sklist_lock);
+@@ -3735,12 +3742,18 @@ packet_setsockopt(struct socket *sock, i
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+- po->tp_loss = !!val;
+- return 0;
++
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_loss = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_AUXDATA:
+ {
+@@ -3751,7 +3764,9 @@ packet_setsockopt(struct socket *sock, i
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
++ lock_sock(sk);
+ po->auxdata = !!val;
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_ORIGDEV:
+@@ -3763,7 +3778,9 @@ packet_setsockopt(struct socket *sock, i
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
++ lock_sock(sk);
+ po->origdev = !!val;
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_VNET_HDR:
+@@ -3772,15 +3789,20 @@ packet_setsockopt(struct socket *sock, i
+
+ if (sock->type != SOCK_RAW)
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (optlen < sizeof(val))
+ return -EINVAL;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
+- po->has_vnet_hdr = !!val;
+- return 0;
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->has_vnet_hdr = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_TIMESTAMP:
+ {
+@@ -3818,11 +3840,17 @@ packet_setsockopt(struct socket *sock, i
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+- po->tp_tx_has_off = !!val;
++
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_tx_has_off = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_QDISC_BYPASS:
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -109,10 +109,12 @@ struct packet_sock {
+ int copy_thresh;
+ spinlock_t bind_lock;
+ struct mutex pg_vec_lock;
+- unsigned int running:1, /* prot_hook is attached*/
+- auxdata:1,
++ unsigned int running; /* bind_lock must be held */
++ unsigned int auxdata:1, /* writer must hold sock lock */
+ origdev:1,
+- has_vnet_hdr:1;
++ has_vnet_hdr:1,
++ tp_loss:1,
++ tp_tx_has_off:1;
+ int pressure;
+ int ifindex; /* bound device */
+ __be16 num;
+@@ -122,8 +124,6 @@ struct packet_sock {
+ enum tpacket_versions tp_version;
+ unsigned int tp_hdrlen;
+ unsigned int tp_reserve;
+- unsigned int tp_loss:1;
+- unsigned int tp_tx_has_off:1;
+ unsigned int tp_tstamp;
+ struct net_device __rcu *cached_dev;
+ int (*xmit)(struct sk_buff *skb);
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 23 Apr 2018 16:38:27 +0200
+Subject: pppoe: check sockaddr length in pppoe_connect()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit a49e2f5d5fb141884452ddb428f551b123d436b5 ]
+
+We must validate sockaddr_len, otherwise userspace can pass fewer data
+than we expect and we end up accessing invalid data.
+
+Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers")
+Reported-by: syzbot+4f03bdf92fdf9ef5ddab@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pppoe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -620,6 +620,10 @@ static int pppoe_connect(struct socket *
+ lock_sock(sk);
+
+ error = -EINVAL;
++
++ if (sockaddr_len != sizeof(struct sockaddr_pppox))
++ goto end;
++
+ if (sp->sa_protocol != PX_PROTO_OE)
+ goto end;
+
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 12 Apr 2018 14:24:31 +0800
+Subject: sctp: do not check port in sctp_inet6_cmp_addr
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 1071ec9d453a38023579714b64a951a2fb982071 ]
+
+pf->cmp_addr() is called before binding a v6 address to the sock. It
+should not check ports, like in sctp_inet_cmp_addr.
+
+But sctp_inet6_cmp_addr checks the addr by invoking af(6)->cmp_addr,
+sctp_v6_cmp_addr where it also compares the ports.
+
+This would cause that setsockopt(SCTP_SOCKOPT_BINDX_ADD) could bind
+multiple duplicated IPv6 addresses after Commit 40b4f0fd74e4 ("sctp:
+lack the check for ports in sctp_v6_cmp_addr").
+
+This patch is to remove af->cmp_addr called in sctp_inet6_cmp_addr,
+but do the proper check for both v6 addrs and v4mapped addrs.
+
+v1->v2:
+ - define __sctp_v6_cmp_addr to do the common address comparison
+ used for both pf and af v6 cmp_addr.
+
+Fixes: 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr")
+Reported-by: Jianwen Ji <jiji@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 60 ++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 30 insertions(+), 30 deletions(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -521,46 +521,49 @@ static void sctp_v6_to_addr(union sctp_a
+ addr->v6.sin6_scope_id = 0;
+ }
+
+-/* Compare addresses exactly.
+- * v4-mapped-v6 is also in consideration.
+- */
+-static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
+- const union sctp_addr *addr2)
++static int __sctp_v6_cmp_addr(const union sctp_addr *addr1,
++ const union sctp_addr *addr2)
+ {
+ if (addr1->sa.sa_family != addr2->sa.sa_family) {
+ if (addr1->sa.sa_family == AF_INET &&
+ addr2->sa.sa_family == AF_INET6 &&
+- ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) {
+- if (addr2->v6.sin6_port == addr1->v4.sin_port &&
+- addr2->v6.sin6_addr.s6_addr32[3] ==
+- addr1->v4.sin_addr.s_addr)
+- return 1;
+- }
++ ipv6_addr_v4mapped(&addr2->v6.sin6_addr) &&
++ addr2->v6.sin6_addr.s6_addr32[3] ==
++ addr1->v4.sin_addr.s_addr)
++ return 1;
++
+ if (addr2->sa.sa_family == AF_INET &&
+ addr1->sa.sa_family == AF_INET6 &&
+- ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) {
+- if (addr1->v6.sin6_port == addr2->v4.sin_port &&
+- addr1->v6.sin6_addr.s6_addr32[3] ==
+- addr2->v4.sin_addr.s_addr)
+- return 1;
+- }
++ ipv6_addr_v4mapped(&addr1->v6.sin6_addr) &&
++ addr1->v6.sin6_addr.s6_addr32[3] ==
++ addr2->v4.sin_addr.s_addr)
++ return 1;
++
+ return 0;
+ }
+- if (addr1->v6.sin6_port != addr2->v6.sin6_port)
+- return 0;
++
+ if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr))
+ return 0;
++
+ /* If this is a linklocal address, compare the scope_id. */
+- if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
+- if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
+- (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) {
+- return 0;
+- }
+- }
++ if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) &&
++ addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
++ addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)
++ return 0;
+
+ return 1;
+ }
+
++/* Compare addresses exactly.
++ * v4-mapped-v6 is also in consideration.
++ */
++static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
++ const union sctp_addr *addr2)
++{
++ return __sctp_v6_cmp_addr(addr1, addr2) &&
++ addr1->v6.sin6_port == addr2->v6.sin6_port;
++}
++
+ /* Initialize addr struct to INADDR_ANY. */
+ static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port)
+ {
+@@ -844,8 +847,8 @@ static int sctp_inet6_cmp_addr(const uni
+ const union sctp_addr *addr2,
+ struct sctp_sock *opt)
+ {
+- struct sctp_af *af1, *af2;
+ struct sock *sk = sctp_opt2sk(opt);
++ struct sctp_af *af1, *af2;
+
+ af1 = sctp_get_af_specific(addr1->sa.sa_family);
+ af2 = sctp_get_af_specific(addr2->sa.sa_family);
+@@ -861,10 +864,7 @@ static int sctp_inet6_cmp_addr(const uni
+ if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2))
+ return 1;
+
+- if (addr1->sa.sa_family != addr2->sa.sa_family)
+- return 0;
+-
+- return af1->cmp_addr(addr1, addr2);
++ return __sctp_v6_cmp_addr(addr1, addr2);
+ }
+
+ /* Verify that the provided sockaddr looks bindable. Common verification,
s390-add-sysfs-attributes-for-spectre.patch
s390-correct-nospec-auto-detection-init-order.patch
s390-correct-module-section-names-for-expoline-code-revert.patch
+bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch
+keys-dns-limit-the-length-of-option-strings.patch
+l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
+net-validate-attribute-sizes-in-neigh_dump_table.patch
+llc-delete-timers-synchronously-in-llc_sk_free.patch
+tcp-don-t-read-out-of-bounds-opsize.patch
+team-avoid-adding-twice-the-same-option-to-the-event-list.patch
+team-fix-netconsole-setup-over-team.patch
+packet-fix-bitfield-update-race.patch
+tipc-add-policy-for-tipc_nla_net_addr.patch
+pppoe-check-sockaddr-length-in-pppoe_connect.patch
+vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch
+sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch
+net-sched-ife-signal-not-finding-metaid.patch
+llc-hold-llc_sap-before-release_sock.patch
+llc-fix-null-pointer-deref-for-sock_zapped.patch
+net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch
+
+net-fix-deadlock-while-clearing-neighbor-proxy-table.patch
+tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch
+net-af_packet-fix-race-in-packet_-r-t-x_ring.patch
+ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch
+
+strparser-fix-incorrect-strp-need_bytes-value.patch
+
+
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Doron Roberts-Kedes <doronrk@fb.com>
+Date: Wed, 11 Apr 2018 15:05:16 -0700
+Subject: strparser: Fix incorrect strp->need_bytes value.
+
+From: Doron Roberts-Kedes <doronrk@fb.com>
+
+
+[ Upstream commit 9d0c75bf6e03d9bf80c55b0f677dc9b982958fd5 ]
+
+strp_data_ready resets strp->need_bytes to 0 if strp_peek_len indicates
+that the remainder of the message has been received. However,
+do_strp_work does not reset strp->need_bytes to 0. If do_strp_work
+completes a partial message, the value of strp->need_bytes will continue
+to reflect the needed bytes of the previous message, causing
+future invocations of strp_data_ready to return early if
+strp->need_bytes is less than strp_peek_len. Resetting strp->need_bytes
+to 0 in __strp_recv on handing a full message to the upper layer solves
+this problem.
+
+__strp_recv also calculates strp->need_bytes using stm->accum_len before
+stm->accum_len has been incremented by cand_len. This can cause
+strp->need_bytes to be equal to the full length of the message instead
+of the full length minus the accumulated length. This, in turn, causes
+strp_data_ready to return early, even when there is sufficient data to
+complete the partial message. Incrementing stm->accum_len before using
+it to calculate strp->need_bytes solves this problem.
+
+Found while testing net/tls_sw recv path.
+
+Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
+Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -285,9 +285,9 @@ static int strp_recv(read_descriptor_t *
+ strp_start_rx_timer(strp);
+ }
+
++ rxm->accum_len += cand_len;
+ strp->rx_need_bytes = rxm->strp.full_len -
+ rxm->accum_len;
+- rxm->accum_len += cand_len;
+ rxm->early_eaten = cand_len;
+ STRP_STATS_ADD(strp->stats.rx_bytes, cand_len);
+ desc->count = 0; /* Stop reading socket */
+@@ -310,6 +310,7 @@ static int strp_recv(read_descriptor_t *
+ /* Hurray, we have a new message! */
+ del_timer(&strp->rx_msg_timer);
+ strp->rx_skb_head = NULL;
++ strp->rx_need_bytes = 0;
+ STRP_STATS_INCR(strp->stats.rx_msgs);
+
+ /* Give skb to upper layer */
+@@ -374,9 +375,7 @@ void strp_data_ready(struct strparser *s
+ return;
+
+ if (strp->rx_need_bytes) {
+- if (strp_peek_len(strp) >= strp->rx_need_bytes)
+- strp->rx_need_bytes = 0;
+- else
++ if (strp_peek_len(strp) < strp->rx_need_bytes)
+ return;
+ }
+
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Fri, 20 Apr 2018 15:57:30 +0200
+Subject: tcp: don't read out-of-bounds opsize
+
+From: Jann Horn <jannh@google.com>
+
+
+[ Upstream commit 7e5a206ab686f098367b61aca989f5cdfa8114a3 ]
+
+The old code reads the "opsize" variable from out-of-bounds memory (first
+byte behind the segment) if a broken TCP segment ends directly after an
+opcode that is neither EOL nor NOP.
+
+The result of the read isn't used for anything, so the worst thing that
+could theoretically happen is a pagefault; and since the physmap is usually
+mostly contiguous, even that seems pretty unlikely.
+
+The following C reproducer triggers the uninitialized read - however, you
+can't actually see anything happen unless you put something like a
+pr_warn() in tcp_parse_md5sig_option() to print the opsize.
+
+====================================
+#define _GNU_SOURCE
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <net/if.h>
+#include <linux/if.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/in.h>
+#include <linux/if_tun.h>
+#include <err.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <assert.h>
+
+void systemf(const char *command, ...) {
+ char *full_command;
+ va_list ap;
+ va_start(ap, command);
+ if (vasprintf(&full_command, command, ap) == -1)
+ err(1, "vasprintf");
+ va_end(ap);
+ printf("systemf: <<<%s>>>\n", full_command);
+ system(full_command);
+}
+
+char *devname;
+
+int tun_alloc(char *name) {
+ int fd = open("/dev/net/tun", O_RDWR);
+ if (fd == -1)
+ err(1, "open tun dev");
+ static struct ifreq req = { .ifr_flags = IFF_TUN|IFF_NO_PI };
+ strcpy(req.ifr_name, name);
+ if (ioctl(fd, TUNSETIFF, &req))
+ err(1, "TUNSETIFF");
+ devname = req.ifr_name;
+ printf("device name: %s\n", devname);
+ return fd;
+}
+
+#define IPADDR(a,b,c,d) (((a)<<0)+((b)<<8)+((c)<<16)+((d)<<24))
+
+void sum_accumulate(unsigned int *sum, void *data, int len) {
+ assert((len&2)==0);
+ for (int i=0; i<len/2; i++) {
+ *sum += ntohs(((unsigned short *)data)[i]);
+ }
+}
+
+unsigned short sum_final(unsigned int sum) {
+ sum = (sum >> 16) + (sum & 0xffff);
+ sum = (sum >> 16) + (sum & 0xffff);
+ return htons(~sum);
+}
+
+void fix_ip_sum(struct iphdr *ip) {
+ unsigned int sum = 0;
+ sum_accumulate(&sum, ip, sizeof(*ip));
+ ip->check = sum_final(sum);
+}
+
+void fix_tcp_sum(struct iphdr *ip, struct tcphdr *tcp) {
+ unsigned int sum = 0;
+ struct {
+ unsigned int saddr;
+ unsigned int daddr;
+ unsigned char pad;
+ unsigned char proto_num;
+ unsigned short tcp_len;
+ } fakehdr = {
+ .saddr = ip->saddr,
+ .daddr = ip->daddr,
+ .proto_num = ip->protocol,
+ .tcp_len = htons(ntohs(ip->tot_len) - ip->ihl*4)
+ };
+ sum_accumulate(&sum, &fakehdr, sizeof(fakehdr));
+ sum_accumulate(&sum, tcp, tcp->doff*4);
+ tcp->check = sum_final(sum);
+}
+
+int main(void) {
+ int tun_fd = tun_alloc("inject_dev%d");
+ systemf("ip link set %s up", devname);
+ systemf("ip addr add 192.168.42.1/24 dev %s", devname);
+
+ struct {
+ struct iphdr ip;
+ struct tcphdr tcp;
+ unsigned char tcp_opts[20];
+ } __attribute__((packed)) syn_packet = {
+ .ip = {
+ .ihl = sizeof(struct iphdr)/4,
+ .version = 4,
+ .tot_len = htons(sizeof(syn_packet)),
+ .ttl = 30,
+ .protocol = IPPROTO_TCP,
+ /* FIXUP check */
+ .saddr = IPADDR(192,168,42,2),
+ .daddr = IPADDR(192,168,42,1)
+ },
+ .tcp = {
+ .source = htons(1),
+ .dest = htons(1337),
+ .seq = 0x12345678,
+ .doff = (sizeof(syn_packet.tcp)+sizeof(syn_packet.tcp_opts))/4,
+ .syn = 1,
+ .window = htons(64),
+ .check = 0 /*FIXUP*/
+ },
+ .tcp_opts = {
+ /* INVALID: trailing MD5SIG opcode after NOPs */
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 19
+ }
+ };
+ fix_ip_sum(&syn_packet.ip);
+ fix_tcp_sum(&syn_packet.ip, &syn_packet.tcp);
+ while (1) {
+ int write_res = write(tun_fd, &syn_packet, sizeof(syn_packet));
+ if (write_res != sizeof(syn_packet))
+ err(1, "packet write failed");
+ }
+}
+====================================
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3943,11 +3943,8 @@ const u8 *tcp_parse_md5sig_option(const
+ int length = (th->doff << 2) - sizeof(*th);
+ const u8 *ptr = (const u8 *)(th + 1);
+
+- /* If the TCP option is too short, we can short cut */
+- if (length < TCPOLEN_MD5SIG)
+- return NULL;
+-
+- while (length > 0) {
++ /* If not enough data remaining, we can short cut */
++ while (length >= TCPOLEN_MD5SIG) {
+ int opcode = *ptr++;
+ int opsize;
+
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Apr 2018 14:36:28 -0700
+Subject: tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7212303268918b9a203aebeacfdbd83b5e87b20d ]
+
+syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1]
+
+I believe this was caused by a TCP_MD5SIG being set on live
+flow.
+
+This is highly unexpected, since TCP option space is limited.
+
+For instance, presence of TCP MD5 option automatically disables
+TCP TimeStamp option at SYN/SYNACK time, which we can not do
+once flow has been established.
+
+Really, adding/deleting an MD5 key only makes sense on sockets
+in CLOSE or LISTEN state.
+
+[1]
+BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
+CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
+ tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline]
+ tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184
+ tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453
+ tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
+ SyS_sendto+0x8a/0xb0 net/socket.c:1715
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x448fe9
+RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9
+RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004
+RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010
+R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000
+R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624
+ __tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline]
+ tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline]
+ tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469
+ tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
+ SyS_sendto+0x8a/0xb0 net/socket.c:1715
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2662,8 +2662,10 @@ static int do_tcp_setsockopt(struct sock
+
+ #ifdef CONFIG_TCP_MD5SIG
+ case TCP_MD5SIG:
+- /* Read the IP->Key mappings from userspace */
+- err = tp->af_specific->md5_parse(sk, optval, optlen);
++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
++ err = tp->af_specific->md5_parse(sk, optval, optlen);
++ else
++ err = -EINVAL;
+ break;
+ #endif
+ case TCP_USER_TIMEOUT:
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 13 Apr 2018 13:59:25 +0200
+Subject: team: avoid adding twice the same option to the event list
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+
+[ Upstream commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 ]
+
+When parsing the options provided by the user space,
+team_nl_cmd_options_set() insert them in a temporary list to send
+multiple events with a single message.
+While each option's attribute is correctly validated, the code does
+not check for duplicate entries before inserting into the event
+list.
+
+Exploiting the above, the syzbot was able to trigger the following
+splat:
+
+kernel BUG at lib/list_debug.c:31!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29
+RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286
+RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000
+RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f
+RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90
+R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90
+R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000
+FS: 0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __list_add include/linux/list.h:60 [inline]
+ list_add include/linux/list.h:79 [inline]
+ team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571
+ genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599
+ genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624
+ netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:639
+ ___sys_sendmsg+0x805/0x940 net/socket.c:2117
+ __sys_sendmsg+0x115/0x270 net/socket.c:2155
+ SYSC_sendmsg net/socket.c:2164 [inline]
+ SyS_sendmsg+0x29/0x30 net/socket.c:2162
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4458b9
+RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9
+RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004
+RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348
+R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000
+Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48
+89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f
+40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41
+RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248
+
+This changeset addresses the avoiding list_add() if the current
+option is already present in the event list.
+
+Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -261,6 +261,17 @@ static void __team_option_inst_mark_remo
+ }
+ }
+
++static bool __team_option_inst_tmp_find(const struct list_head *opts,
++ const struct team_option_inst *needle)
++{
++ struct team_option_inst *opt_inst;
++
++ list_for_each_entry(opt_inst, opts, tmp_list)
++ if (opt_inst == needle)
++ return true;
++ return false;
++}
++
+ static int __team_options_register(struct team *team,
+ const struct team_option *option,
+ size_t option_count)
+@@ -2569,6 +2580,14 @@ static int team_nl_cmd_options_set(struc
+ if (err)
+ goto team_put;
+ opt_inst->changed = true;
++
++ /* dumb/evil user-space can send us duplicate opt,
++ * keep only the last one
++ */
++ if (__team_option_inst_tmp_find(&opt_inst_list,
++ opt_inst))
++ continue;
++
+ list_add(&opt_inst->tmp_list, &opt_inst_list);
+ }
+ if (!opt_found) {
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 24 Apr 2018 14:33:37 +0800
+Subject: team: fix netconsole setup over team
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 9cf2f437ca5b39828984064fad213e68fc17ef11 ]
+
+The same fix in Commit dbe173079ab5 ("bridge: fix netconsole
+setup over bridge") is also needed for team driver.
+
+While at it, remove the unnecessary parameter *team from
+team_port_enable_netpoll().
+
+v1->v2:
+ - fix it in a better way, as does bridge.
+
+Fixes: 0fb52a27a04a ("team: cleanup netpoll clode")
+Reported-by: João Avelino Bellomo Filho <jbellomo@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1078,14 +1078,11 @@ static void team_port_leave(struct team
+ }
+
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
++static int __team_port_enable_netpoll(struct team_port *port)
+ {
+ struct netpoll *np;
+ int err;
+
+- if (!team->dev->npinfo)
+- return 0;
+-
+ np = kzalloc(sizeof(*np), GFP_KERNEL);
+ if (!np)
+ return -ENOMEM;
+@@ -1099,6 +1096,14 @@ static int team_port_enable_netpoll(stru
+ return err;
+ }
+
++static int team_port_enable_netpoll(struct team_port *port)
++{
++ if (!port->team->dev->npinfo)
++ return 0;
++
++ return __team_port_enable_netpoll(port);
++}
++
+ static void team_port_disable_netpoll(struct team_port *port)
+ {
+ struct netpoll *np = port->np;
+@@ -1113,7 +1118,7 @@ static void team_port_disable_netpoll(st
+ kfree(np);
+ }
+ #else
+-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
++static int team_port_enable_netpoll(struct team_port *port)
+ {
+ return 0;
+ }
+@@ -1221,7 +1226,7 @@ static int team_port_add(struct team *te
+ goto err_vids_add;
+ }
+
+- err = team_port_enable_netpoll(team, port);
++ err = team_port_enable_netpoll(port);
+ if (err) {
+ netdev_err(dev, "Failed to enable netpoll on device %s\n",
+ portname);
+@@ -1919,7 +1924,7 @@ static int team_netpoll_setup(struct net
+
+ mutex_lock(&team->lock);
+ list_for_each_entry(port, &team->port_list, list) {
+- err = team_port_enable_netpoll(team, port);
++ err = __team_port_enable_netpoll(port);
+ if (err) {
+ __team_netpoll_cleanup(team);
+ break;
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 16 Apr 2018 08:29:42 -0700
+Subject: tipc: add policy for TIPC_NLA_NET_ADDR
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit ec518f21cb1a1b1f8a516499ea05c60299e04963 ]
+
+Before syzbot/KMSAN bites, add the missing policy for TIPC_NLA_NET_ADDR
+
+Fixes: 27c21416727a ("tipc: add net set to new netlink api")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink.c
++++ b/net/tipc/netlink.c
+@@ -79,7 +79,8 @@ const struct nla_policy tipc_nl_sock_pol
+
+ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
+ [TIPC_NLA_NET_UNSPEC] = { .type = NLA_UNSPEC },
+- [TIPC_NLA_NET_ID] = { .type = NLA_U32 }
++ [TIPC_NLA_NET_ID] = { .type = NLA_U32 },
++ [TIPC_NLA_NET_ADDR] = { .type = NLA_U32 },
+ };
+
+ const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 17 Apr 2018 18:46:14 +0900
+Subject: vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+
+[ Upstream commit 7ce2367254e84753bceb07327aaf5c953cfce117 ]
+
+Syzkaller spotted an old bug which leads to reading skb beyond tail by 4
+bytes on vlan tagged packets.
+This is caused because skb_vlan_tagged_multi() did not check
+skb_headlen.
+
+BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline]
+BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
+BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline]
+BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline]
+BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
+CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ eth_type_vlan include/linux/if_vlan.h:283 [inline]
+ skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
+ vlan_features_check include/linux/if_vlan.h:672 [inline]
+ dflt_features_check net/core/dev.c:2949 [inline]
+ netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
+ validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084
+ __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
+ packet_snd net/packet/af_packet.c:2944 [inline]
+ packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ sock_write_iter+0x3b9/0x470 net/socket.c:909
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43ffa9
+RSP: 002b:00007fff2cff3948 EFLAGS: 00000217 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
+RDX: 0000000000000001 RSI: 0000000020000080 RDI: 0000000000000003
+RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0
+R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
+ sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
+ packet_alloc_skb net/packet/af_packet.c:2803 [inline]
+ packet_snd net/packet/af_packet.c:2894 [inline]
+ packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ sock_write_iter+0x3b9/0x470 net/socket.c:909
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 58e998c6d239 ("offloading: Force software GSO for multiple vlan tags.")
+Reported-and-tested-by: syzbot+0bbe42c764feafa82c5a@syzkaller.appspotmail.com
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_vlan.h | 7 +++++--
+ net/core/dev.c | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -600,7 +600,7 @@ static inline bool skb_vlan_tagged(const
+ * Returns true if the skb is tagged with multiple vlan headers, regardless
+ * of whether it is hardware accelerated or not.
+ */
+-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
++static inline bool skb_vlan_tagged_multi(struct sk_buff *skb)
+ {
+ __be16 protocol = skb->protocol;
+
+@@ -610,6 +610,9 @@ static inline bool skb_vlan_tagged_multi
+ if (likely(!eth_type_vlan(protocol)))
+ return false;
+
++ if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN)))
++ return false;
++
+ veh = (struct vlan_ethhdr *)skb->data;
+ protocol = veh->h_vlan_encapsulated_proto;
+ }
+@@ -627,7 +630,7 @@ static inline bool skb_vlan_tagged_multi
+ *
+ * Returns features without unsafe ones if the skb has multiple tags.
+ */
+-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb,
++static inline netdev_features_t vlan_features_check(struct sk_buff *skb,
+ netdev_features_t features)
+ {
+ if (skb_vlan_tagged_multi(skb)) {
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2871,7 +2871,7 @@ netdev_features_t passthru_features_chec
+ }
+ EXPORT_SYMBOL(passthru_features_check);
+
+-static netdev_features_t dflt_features_check(const struct sk_buff *skb,
++static netdev_features_t dflt_features_check(struct sk_buff *skb,
+ struct net_device *dev,
+ netdev_features_t features)
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
