--- /dev/null
+From foo@baz Sun Jun 17 13:05:08 CEST 2018
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+Date: Fri, 25 May 2018 20:49:52 +0300
+Subject: atm: zatm: fix memcmp casting
+
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+
+[ Upstream commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc ]
+
+memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One
+can lose significant bits and get 0 from non-0 value returned by the
+memcmp().
+
+Signed-off-by: Ivan Bornyakov <brnkv.i1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/zatm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/atm/zatm.c
++++ b/drivers/atm/zatm.c
+@@ -1149,8 +1149,8 @@ static void eprom_get_byte(struct zatm_d
+ }
+
+
+-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd,
+- int offset, int swap)
++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset,
++ int swap)
+ {
+ unsigned char buf[ZEPROM_SIZE];
+ struct zatm_dev *zatm_dev;
--- /dev/null
+From foo@baz Sun Jun 17 13:05:08 CEST 2018
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 19 May 2018 18:22:35 +0300
+Subject: ipvs: fix buffer overflow with sync daemon and service
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a ]
+
+syzkaller reports for buffer overflow for interface name
+when starting sync daemons [1]
+
+What we do is that we copy user structure into larger stack
+buffer but later we search NUL past the stack buffer.
+The same happens for sched_name when adding/editing virtual server.
+
+We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
+being used as size in include/uapi/linux/ip_vs.h, so they
+include the space for NUL.
+
+As using strlcpy is wrong for unsafe source, replace it with
+strscpy and add checks to return EINVAL if source string is not
+NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
+
+For the netlink interface reduce the len parameter for
+IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
+so that we get proper EINVAL.
+
+[1]
+kernel BUG at lib/string.c:1052!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
+RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
+RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
+RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
+RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
+R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
+R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
+FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ strlen include/linux/string.h:270 [inline]
+ strlcpy include/linux/string.h:293 [inline]
+ do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
+ udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
+ ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
+ tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
+ sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
+ __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
+ __do_sys_setsockopt net/socket.c:1914 [inline]
+ __se_sys_setsockopt net/socket.c:1911 [inline]
+ __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x447369
+RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
+R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
+Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
+de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
+90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
+RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
+
+Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
+Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon")
+Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2349,8 +2349,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
+ struct ipvs_sync_daemon_cfg cfg;
+
+ memset(&cfg, 0, sizeof(cfg));
+- strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+- sizeof(cfg.mcast_ifn));
++ ret = -EINVAL;
++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,
++ sizeof(cfg.mcast_ifn)) <= 0)
++ goto out_dec;
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+@@ -2388,12 +2390,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
+ }
+ }
+
++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) &&
++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) ==
++ IP_VS_SCHEDNAME_MAXLEN) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
+ if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
+ usvc.protocol != IPPROTO_SCTP) {
+- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n",
+ usvc.protocol, &usvc.addr.ip,
+- ntohs(usvc.port), usvc.sched_name);
++ ntohs(usvc.port));
+ ret = -EFAULT;
+ goto out_unlock;
+ }
+@@ -2822,7 +2831,7 @@ static const struct nla_policy ip_vs_cmd
+ static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
+ [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_IFNAME_MAXLEN },
++ .len = IP_VS_IFNAME_MAXLEN - 1 },
+ [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 },
+ [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 },
+@@ -2840,7 +2849,7 @@ static const struct nla_policy ip_vs_svc
+ [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
+ [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
+ [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_SCHEDNAME_MAXLEN },
++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 },
+ [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
+ .len = IP_VS_PENAME_MAXLEN },
+ [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
--- /dev/null
+From foo@baz Sun Jun 17 13:05:08 CEST 2018
+From: Josh Hill <josh@joshuajhill.com>
+Date: Sun, 27 May 2018 20:10:41 -0400
+Subject: net: qmi_wwan: Add Netgear Aircard 779S
+
+From: Josh Hill <josh@joshuajhill.com>
+
+[ Upstream commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 ]
+
+Add support for Netgear Aircard 779S
+
+Signed-off-by: Josh Hill <josh@joshuajhill.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -635,6 +635,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */
+ {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
+ {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
+ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
--- /dev/null
+From foo@baz Sun Jun 17 13:05:08 CEST 2018
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Wed, 30 May 2018 13:03:51 +1000
+Subject: net/sonic: Use dma_mapping_error()
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 ]
+
+With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the
+message, "DMA-API: device driver failed to check map error".
+Add the missing dma_mapping_error() call.
+
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -71,7 +71,7 @@ static int sonic_open(struct net_device
+ for (i = 0; i < SONIC_NUM_RRS; i++) {
+ dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE),
+ SONIC_RBSIZE, DMA_FROM_DEVICE);
+- if (!laddr) {
++ if (dma_mapping_error(lp->device, laddr)) {
+ while(i > 0) { /* free any that were mapped successfully */
+ i--;
+ dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE);
--- /dev/null
+From foo@baz Sun Jun 17 13:05:08 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 27 Apr 2018 10:45:31 +0200
+Subject: netfilter: ebtables: handle string from userspace with care
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ]
+
+strlcpy() can't be safely used on a user-space provided string,
+as it can try to read beyond the buffer's end, if the latter is
+not NULL terminated.
+
+Leveraging the above, syzbot has been able to trigger the following
+splat:
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
+[inline]
+BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
+net/bridge/netfilter/ebtables.c:1957 [inline]
+BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
+net/bridge/netfilter/ebtables.c:2059 [inline]
+BUG: KASAN: stack-out-of-bounds in size_entry_mwt
+net/bridge/netfilter/ebtables.c:2155 [inline]
+BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
+net/bridge/netfilter/ebtables.c:2194
+Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
+
+CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
+ ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
+ compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
+ compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
+ compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
+ compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
+ compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
+ compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
+ inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
+ compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
+ compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
+ __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
+ __do_compat_sys_setsockopt net/compat.c:416 [inline]
+ __se_compat_sys_setsockopt net/compat.c:413 [inline]
+ __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
+ do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
+ do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7fb3cb9
+RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
+RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fix the issue replacing the unsafe function with strscpy() and
+taking care of possible errors.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1912,7 +1912,8 @@ static int compat_mtw_from_user(struct c
+ int off, pad = 0;
+ unsigned int size_kern, match_size = mwt->match_size;
+
+- strlcpy(name, mwt->u.name, sizeof(name));
++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
++ return -EINVAL;
+
+ if (state->buf_kern_start)
+ dst = state->buf_kern_start + state->buf_kern_offset;
--- /dev/null
+xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch
+netfilter-ebtables-handle-string-from-userspace-with-care.patch
+ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch
+atm-zatm-fix-memcmp-casting.patch
+net-qmi_wwan-add-netgear-aircard-779s.patch
+net-sonic-use-dma_mapping_error.patch
--- /dev/null
+From foo@baz Sun Jun 17 13:05:08 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 12 May 2018 02:49:30 -0700
+Subject: xfrm6: avoid potential infinite loop in _decode_session6()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d9f92772e8ec388d070752ee8f187ef8fa18621f ]
+
+syzbot found a way to trigger an infinitie loop by overflowing
+@offset variable that has been forced to use u16 for some very
+obscure reason in the past.
+
+We probably want to look at NEXTHDR_FRAGMENT handling which looks
+wrong, in a separate patch.
+
+In net-next, we shall try to use skb_header_pointer() instead of
+pskb_may_pull().
+
+watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
+Modules linked in:
+irq event stamp: 13885653
+hardirqs last enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
+hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
+softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
+CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
+RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
+RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
+RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
+RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
+R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
+R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
+FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
+ __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
+ xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
+ icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
+ icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
+ icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
+ ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
+ __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
+ netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
+ napi_frags_finish net/core/dev.c:5226 [inline]
+ napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
+ tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
+ tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
+ call_write_iter include/linux/fs.h:1784 [inline]
+ do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
+ do_iter_write+0x185/0x5f0 fs/read_write.c:959
+ vfs_writev+0x1c7/0x330 fs/read_write.c:1004
+ do_writev+0x112/0x2f0 fs/read_write.c:1039
+ __do_sys_writev fs/read_write.c:1112 [inline]
+ __se_sys_writev fs/read_write.c:1109 [inline]
+ __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/xfrm6_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -121,7 +121,7 @@ _decode_session6(struct sk_buff *skb, st
+ struct flowi6 *fl6 = &fl->u.ip6;
+ int onlyproto = 0;
+ const struct ipv6hdr *hdr = ipv6_hdr(skb);
+- u16 offset = sizeof(*hdr);
++ u32 offset = sizeof(*hdr);
+ struct ipv6_opt_hdr *exthdr;
+ const unsigned char *nh = skb_network_header(skb);
+ u16 nhoff = IP6CB(skb)->nhoff;
projects / thirdparty / kernel / stable-queue.git / commitdiff
