--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: Wei Wang <weiwan@google.com>
+Date: Fri, 16 Jun 2017 10:46:37 -0700
+Subject: decnet: always not take dst->__refcnt when inserting dst into hash table
+
+From: Wei Wang <weiwan@google.com>
+
+
+[ Upstream commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f ]
+
+In the existing dn_route.c code, dn_route_output_slow() takes
+dst->__refcnt before calling dn_insert_route() while dn_route_input_slow()
+does not take dst->__refcnt before calling dn_insert_route().
+This makes the whole routing code very buggy.
+In dn_dst_check_expire(), dnrt_free() is called when rt expires. This
+makes the routes inserted by dn_route_output_slow() not able to be
+freed as the refcnt is not released.
+In dn_dst_gc(), dnrt_drop() is called to release rt which could
+potentially cause the dst->__refcnt to be dropped to -1.
+In dn_run_flush(), dst_free() is called to release all the dst. Again,
+it makes the dst inserted by dn_route_output_slow() not able to be
+released and also, it does not wait on the rcu and could potentially
+cause crash in the path where other users still refer to this dst.
+
+This patch makes sure both input and output path do not take
+dst->__refcnt before calling dn_insert_route() and also makes sure
+dnrt_free()/dst_free() is called when removing dst from the hash table.
+The only difference between those 2 calls is that dnrt_free() waits on
+the rcu while dst_free() does not.
+
+Signed-off-by: Wei Wang <weiwan@google.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/decnet/dn_route.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+--- a/net/decnet/dn_route.c
++++ b/net/decnet/dn_route.c
+@@ -189,12 +189,6 @@ static inline void dnrt_free(struct dn_r
+ call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
+ }
+
+-static inline void dnrt_drop(struct dn_route *rt)
+-{
+- dst_release(&rt->dst);
+- call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
+-}
+-
+ static void dn_dst_check_expire(unsigned long dummy)
+ {
+ int i;
+@@ -249,7 +243,7 @@ static int dn_dst_gc(struct dst_ops *ops
+ }
+ *rtp = rt->dst.dn_next;
+ rt->dst.dn_next = NULL;
+- dnrt_drop(rt);
++ dnrt_free(rt);
+ break;
+ }
+ spin_unlock_bh(&dn_rt_hash_table[i].lock);
+@@ -351,7 +345,7 @@ static int dn_insert_route(struct dn_rou
+ dst_use(&rth->dst, now);
+ spin_unlock_bh(&dn_rt_hash_table[hash].lock);
+
+- dnrt_drop(rt);
++ dst_free(&rt->dst);
+ *rp = rth;
+ return 0;
+ }
+@@ -381,7 +375,7 @@ static void dn_run_flush(unsigned long d
+ for(; rt; rt = next) {
+ next = rcu_dereference_raw(rt->dst.dn_next);
+ RCU_INIT_POINTER(rt->dst.dn_next, NULL);
+- dst_free((struct dst_entry *)rt);
++ dnrt_free(rt);
+ }
+
+ nothing_to_declare:
+@@ -1195,7 +1189,7 @@ make_route:
+ if (dev_out->flags & IFF_LOOPBACK)
+ flags |= RTCF_LOCAL;
+
+- rt = dst_alloc(&dn_dst_ops, dev_out, 1, DST_OBSOLETE_NONE, DST_HOST);
++ rt = dst_alloc(&dn_dst_ops, dev_out, 0, DST_OBSOLETE_NONE, DST_HOST);
+ if (rt == NULL)
+ goto e_nobufs;
+
--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: Mateusz Jurczyk <mjurczyk@google.com>
+Date: Wed, 7 Jun 2017 16:14:29 +0200
+Subject: decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
+
+From: Mateusz Jurczyk <mjurczyk@google.com>
+
+
+[ Upstream commit dd0da17b209ed91f39872766634ca967c170ada1 ]
+
+Verify that the length of the socket buffer is sufficient to cover the
+nlmsghdr structure before accessing the nlh->nlmsg_len field for further
+input sanitization. If the client only supplies 1-3 bytes of data in
+sk_buff, then nlh->nlmsg_len remains partially uninitialized and
+contains leftover memory from the corresponding kernel allocation.
+Operating on such data may result in indeterminate evaluation of the
+nlmsg_len < sizeof(*nlh) expression.
+
+The bug was discovered by a runtime instrumentation designed to detect
+use of uninitialized memory in the kernel. The patch prevents this and
+other similar tools (e.g. KMSAN) from flagging this behavior in the future.
+
+Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/decnet/netfilter/dn_rtmsg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/decnet/netfilter/dn_rtmsg.c
++++ b/net/decnet/netfilter/dn_rtmsg.c
+@@ -104,7 +104,9 @@ static inline void dnrmg_receive_user_sk
+ {
+ struct nlmsghdr *nlh = nlmsg_hdr(skb);
+
+- if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
++ if (skb->len < sizeof(*nlh) ||
++ nlh->nlmsg_len < sizeof(*nlh) ||
++ skb->len < nlh->nlmsg_len)
+ return;
+
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: Krister Johansen <kjlx@templeofstupid.com>
+Date: Thu, 8 Jun 2017 13:12:38 -0700
+Subject: Fix an intermittent pr_emerg warning about lo becoming free.
+
+From: Krister Johansen <kjlx@templeofstupid.com>
+
+
+[ Upstream commit f186ce61bb8235d80068c390dc2aad7ca427a4c2 ]
+
+It looks like this:
+
+Message from syslogd@flamingo at Apr 26 00:45:00 ...
+ kernel:unregister_netdevice: waiting for lo to become free. Usage count = 4
+
+They seem to coincide with net namespace teardown.
+
+The message is emitted by netdev_wait_allrefs().
+
+Forced a kdump in netdev_run_todo, but found that the refcount on the lo
+device was already 0 at the time we got to the panic.
+
+Used bcc to check the blocking in netdev_run_todo. The only places
+where we're off cpu there are in the rcu_barrier() and msleep() calls.
+That behavior is expected. The msleep time coincides with the amount of
+time we spend waiting for the refcount to reach zero; the rcu_barrier()
+wait times are not excessive.
+
+After looking through the list of callbacks that the netdevice notifiers
+invoke in this path, it appears that the dst_dev_event is the most
+interesting. The dst_ifdown path places a hold on the loopback_dev as
+part of releasing the dev associated with the original dst cache entry.
+Most of our notifier callbacks are straight-forward, but this one a)
+looks complex, and b) places a hold on the network interface in
+question.
+
+I constructed a new bcc script that watches various events in the
+liftime of a dst cache entry. Note that dst_ifdown will take a hold on
+the loopback device until the invalidated dst entry gets freed.
+
+[ __dst_free] on DST: ffff883ccabb7900 IF tap1008300eth0 invoked at 1282115677036183
+ __dst_free
+ rcu_nocb_kthread
+ kthread
+ ret_from_fork
+Acked-by: Eric Dumazet <edumazet@google.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dst.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -397,6 +397,20 @@ static int dst_dev_event(struct notifier
+ spin_lock_bh(&dst_garbage.lock);
+ dst = dst_garbage.list;
+ dst_garbage.list = NULL;
++ /* The code in dst_ifdown places a hold on the loopback device.
++ * If the gc entry processing is set to expire after a lengthy
++ * interval, this hold can cause netdev_wait_allrefs() to hang
++ * out and wait for a long time -- until the the loopback
++ * interface is released. If we're really unlucky, it'll emit
++ * pr_emerg messages to console too. Reset the interval here,
++ * so dst cleanups occur in a more timely fashion.
++ */
++ if (dst_garbage.timer_inc > DST_GC_INC) {
++ dst_garbage.timer_inc = DST_GC_INC;
++ dst_garbage.timer_expires = DST_GC_MIN;
++ mod_delayed_work(system_wq, &dst_gc_work,
++ dst_garbage.timer_expires);
++ }
+ spin_unlock_bh(&dst_garbage.lock);
+
+ if (last)
--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 12 Jun 2017 09:52:26 -0700
+Subject: igmp: acquire pmc lock for ip_mc_clear_src()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit c38b7d327aafd1e3ad7ff53eefac990673b65667 ]
+
+Andrey reported a use-after-free in add_grec():
+
+ for (psf = *psf_list; psf; psf = psf_next) {
+ ...
+ psf_next = psf->sf_next;
+
+where the struct ip_sf_list's were already freed by:
+
+ kfree+0xe8/0x2b0 mm/slub.c:3882
+ ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078
+ ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618
+ ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609
+ inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ sock_close+0x16/0x20 net/socket.c:1072
+
+This happens because we don't hold pmc->lock in ip_mc_clear_src()
+and a parallel mr_ifc_timer timer could jump in and access them.
+
+The RCU lock is there but it is merely for pmc itself, this
+spinlock could actually ensure we don't access them in parallel.
+
+Thanks to Eric and Long for discussion on this bug.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1832,21 +1832,26 @@ static int ip_mc_add_src(struct in_devic
+
+ static void ip_mc_clear_src(struct ip_mc_list *pmc)
+ {
+- struct ip_sf_list *psf, *nextpsf;
++ struct ip_sf_list *psf, *nextpsf, *tomb, *sources;
+
+- for (psf = pmc->tomb; psf; psf = nextpsf) {
++ spin_lock_bh(&pmc->lock);
++ tomb = pmc->tomb;
++ pmc->tomb = NULL;
++ sources = pmc->sources;
++ pmc->sources = NULL;
++ pmc->sfmode = MCAST_EXCLUDE;
++ pmc->sfcount[MCAST_INCLUDE] = 0;
++ pmc->sfcount[MCAST_EXCLUDE] = 1;
++ spin_unlock_bh(&pmc->lock);
++
++ for (psf = tomb; psf; psf = nextpsf) {
+ nextpsf = psf->sf_next;
+ kfree(psf);
+ }
+- pmc->tomb = NULL;
+- for (psf = pmc->sources; psf; psf = nextpsf) {
++ for (psf = sources; psf; psf = nextpsf) {
+ nextpsf = psf->sf_next;
+ kfree(psf);
+ }
+- pmc->sources = NULL;
+- pmc->sfmode = MCAST_EXCLUDE;
+- pmc->sfcount[MCAST_INCLUDE] = 0;
+- pmc->sfcount[MCAST_EXCLUDE] = 1;
+ }
+
+
--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Tue, 20 Jun 2017 10:46:27 -0700
+Subject: igmp: add a missing spin_lock_init()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit b4846fc3c8559649277e3e4e6b5cec5348a8d208 ]
+
+Andrey reported a lockdep warning on non-initialized
+spinlock:
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755
+ ? 0xffffffffa0000000
+ __lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255
+ lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855
+ __raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135
+ _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175
+ spin_lock_bh ./include/linux/spinlock.h:304
+ ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076
+ igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194
+ ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736
+
+We miss a spin_lock_init() in igmpv3_add_delrec(), probably
+because previously we never use it on this code path. Since
+we already unlink it from the global mc_tomb list, it is
+probably safe not to acquire this spinlock here. It does not
+harm to have it although, to avoid conditional locking.
+
+Fixes: c38b7d327aaf ("igmp: acquire pmc lock for ip_mc_clear_src()")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1080,6 +1080,7 @@ static void igmpv3_add_delrec(struct in_
+ pmc = kzalloc(sizeof(*pmc), GFP_KERNEL);
+ if (!pmc)
+ return;
++ spin_lock_init(&pmc->lock);
+ spin_lock_bh(&im->lock);
+ pmc->interface = im->interface;
+ in_dev_hold(in_dev);
--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 15 Jun 2017 16:33:58 +0800
+Subject: ipv6: fix calling in6_ifa_hold incorrectly for dad work
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit f8a894b218138888542a5058d0e902378fd0d4ec ]
+
+Now when starting the dad work in addrconf_mod_dad_work, if the dad work
+is idle and queued, it needs to hold ifa.
+
+The problem is there's one gap in [1], during which if the pending dad work
+is removed elsewhere. It will miss to hold ifa, but the dad word is still
+idea and queue.
+
+ if (!delayed_work_pending(&ifp->dad_work))
+ in6_ifa_hold(ifp);
+ <--------------[1]
+ mod_delayed_work(addrconf_wq, &ifp->dad_work, delay);
+
+An use-after-free issue can be caused by this.
+
+Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in
+net6_ifa_finish_destroy was hit because of it.
+
+As Hannes' suggestion, this patch is to fix it by holding ifa first in
+addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if
+the dad_work is already in queue.
+
+Note that this patch did not choose to fix it with:
+
+ if (!mod_delayed_work(delay))
+ in6_ifa_hold(ifp);
+
+As with it, when delay == 0, dad_work would be scheduled immediately, all
+addrconf_mod_dad_work(0) callings had to be moved under ifp->lock.
+
+Reported-by: Wei Chen <weichen@redhat.com>
+Suggested-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -269,9 +269,9 @@ static void addrconf_mod_rs_timer(struct
+ static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp,
+ unsigned long delay)
+ {
+- if (!delayed_work_pending(&ifp->dad_work))
+- in6_ifa_hold(ifp);
+- mod_delayed_work(addrconf_wq, &ifp->dad_work, delay);
++ in6_ifa_hold(ifp);
++ if (mod_delayed_work(addrconf_wq, &ifp->dad_work, delay))
++ in6_ifa_put(ifp);
+ }
+
+ static int snmp6_alloc_dev(struct inet6_dev *idev)
--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Fri, 16 Jun 2017 15:00:02 +0800
+Subject: net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
+
+From: Gao Feng <gfree.wind@vip.163.com>
+
+
+[ Upstream commit 9745e362add89432d2c951272a99b0a5fe4348a9 ]
+
+The register_vlan_device would invoke free_netdev directly, when
+register_vlan_dev failed. It would trigger the BUG_ON in free_netdev
+if the dev was already registered. In this case, the netdev would be
+freed in netdev_run_todo later.
+
+So add one condition check now. Only when dev is not registered, then
+free it directly.
+
+The following is the part coredump when netdev_upper_dev_link failed
+in register_vlan_dev. I removed the lines which are too long.
+
+[ 411.237457] ------------[ cut here ]------------
+[ 411.237458] kernel BUG at net/core/dev.c:7998!
+[ 411.237484] invalid opcode: 0000 [#1] SMP
+[ 411.237705] [last unloaded: 8021q]
+[ 411.237718] CPU: 1 PID: 12845 Comm: vconfig Tainted: G E 4.12.0-rc5+ #6
+[ 411.237737] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
+[ 411.237764] task: ffff9cbeb6685580 task.stack: ffffa7d2807d8000
+[ 411.237782] RIP: 0010:free_netdev+0x116/0x120
+[ 411.237794] RSP: 0018:ffffa7d2807dbdb0 EFLAGS: 00010297
+[ 411.237808] RAX: 0000000000000002 RBX: ffff9cbeb6ba8fd8 RCX: 0000000000001878
+[ 411.237826] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 0000000000000000
+[ 411.237844] RBP: ffffa7d2807dbdc8 R08: 0002986100029841 R09: 0002982100029801
+[ 411.237861] R10: 0004000100029980 R11: 0004000100029980 R12: ffff9cbeb6ba9000
+[ 411.238761] R13: ffff9cbeb6ba9060 R14: ffff9cbe60f1a000 R15: ffff9cbeb6ba9000
+[ 411.239518] FS: 00007fb690d81700(0000) GS:ffff9cbebb640000(0000) knlGS:0000000000000000
+[ 411.239949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 411.240454] CR2: 00007f7115624000 CR3: 0000000077cdf000 CR4: 00000000003406e0
+[ 411.240936] Call Trace:
+[ 411.241462] vlan_ioctl_handler+0x3f1/0x400 [8021q]
+[ 411.241910] sock_ioctl+0x18b/0x2c0
+[ 411.242394] do_vfs_ioctl+0xa1/0x5d0
+[ 411.242853] ? sock_alloc_file+0xa6/0x130
+[ 411.243465] SyS_ioctl+0x79/0x90
+[ 411.243900] entry_SYSCALL_64_fastpath+0x1e/0xa9
+[ 411.244425] RIP: 0033:0x7fb69089a357
+[ 411.244863] RSP: 002b:00007ffcd04e0fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[ 411.245445] RAX: ffffffffffffffda RBX: 00007ffcd04e2884 RCX: 00007fb69089a357
+[ 411.245903] RDX: 00007ffcd04e0fd0 RSI: 0000000000008983 RDI: 0000000000000003
+[ 411.246527] RBP: 00007ffcd04e0fd0 R08: 0000000000000000 R09: 1999999999999999
+[ 411.246976] R10: 000000000000053f R11: 0000000000000202 R12: 0000000000000004
+[ 411.247414] R13: 00007ffcd04e1128 R14: 00007ffcd04e2888 R15: 0000000000000001
+[ 411.249129] RIP: free_netdev+0x116/0x120 RSP: ffffa7d2807dbdb0
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -278,7 +278,8 @@ static int register_vlan_device(struct n
+ return 0;
+
+ out_free_newdev:
+- free_netdev(new_dev);
++ if (new_dev->reg_state == NETREG_UNINITIALIZED)
++ free_netdev(new_dev);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Sat, 10 Jun 2017 16:49:39 +0800
+Subject: net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit f146e872eb12ebbe92d8e583b2637e0741440db3 ]
+
+The kernel may sleep under a rcu read lock in cfpkt_create_pfx, and the
+function call path is:
+cfcnfg_linkup_rsp (acquire the lock by rcu_read_lock)
+ cfctrl_linkdown_req
+ cfpkt_create
+ cfpkt_create_pfx
+ alloc_skb(GFP_KERNEL) --> may sleep
+cfserl_receive (acquire the lock by rcu_read_lock)
+ cfpkt_split
+ cfpkt_create_pfx
+ alloc_skb(GFP_KERNEL) --> may sleep
+
+There is "in_interrupt" in cfpkt_create_pfx to decide use "GFP_KERNEL" or
+"GFP_ATOMIC". In this situation, "GFP_KERNEL" is used because the function
+is called under a rcu read lock, instead in interrupt.
+
+To fix it, only "GFP_ATOMIC" is used in cfpkt_create_pfx.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/cfpkt_skbuff.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/caif/cfpkt_skbuff.c
++++ b/net/caif/cfpkt_skbuff.c
+@@ -81,11 +81,7 @@ static struct cfpkt *cfpkt_create_pfx(u1
+ {
+ struct sk_buff *skb;
+
+- if (likely(in_interrupt()))
+- skb = alloc_skb(len + pfx, GFP_ATOMIC);
+- else
+- skb = alloc_skb(len + pfx, GFP_KERNEL);
+-
++ skb = alloc_skb(len + pfx, GFP_ATOMIC);
+ if (unlikely(skb == NULL))
+ return NULL;
+
--- /dev/null
+From foo@baz Thu Jun 29 19:45:34 CEST 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Tue, 6 Jun 2017 15:56:54 +0200
+Subject: net: don't call strlen on non-terminated string in dev_set_alias()
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit c28294b941232931fbd714099798eb7aa7e865d7 ]
+
+KMSAN reported a use of uninitialized memory in dev_set_alias(),
+which was caused by calling strlcpy() (which in turn called strlen())
+on the user-supplied non-terminated string.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1194,8 +1194,9 @@ int dev_set_alias(struct net_device *dev
+ if (!new_ifalias)
+ return -ENOMEM;
+ dev->ifalias = new_ifalias;
++ memcpy(dev->ifalias, alias, len);
++ dev->ifalias[len] = 0;
+
+- strlcpy(dev->ifalias, alias, len+1);
+ return len;
+ }
+
--- /dev/null
+From 87e94dbc210a720a34be5c1174faee5c84be963e Mon Sep 17 00:00:00 2001
+From: Eric Leblond <eric@regit.org>
+Date: Thu, 11 May 2017 18:56:38 +0200
+Subject: netfilter: synproxy: fix conntrackd interaction
+
+From: Eric Leblond <eric@regit.org>
+
+commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream.
+
+This patch fixes the creation of connection tracking entry from
+netlink when synproxy is used. It was missing the addition of
+the synproxy extension.
+
+This was causing kernel crashes when a conntrack entry created by
+conntrackd was used after the switch of traffic from active node
+to the passive node.
+
+Signed-off-by: Eric Leblond <eric@regit.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_netlink.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -45,6 +45,8 @@
+ #include <net/netfilter/nf_conntrack_zones.h>
+ #include <net/netfilter/nf_conntrack_timestamp.h>
+ #include <net/netfilter/nf_conntrack_labels.h>
++#include <net/netfilter/nf_conntrack_seqadj.h>
++#include <net/netfilter/nf_conntrack_synproxy.h>
+ #ifdef CONFIG_NF_NAT_NEEDED
+ #include <net/netfilter/nf_nat_core.h>
+ #include <net/netfilter/nf_nat_l4proto.h>
+@@ -1688,6 +1690,8 @@ ctnetlink_create_conntrack(struct net *n
+ nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
+ nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
+ nf_ct_labels_ext_add(ct);
++ nfct_seqadj_ext_add(ct);
++ nfct_synproxy_ext_add(ct);
+
+ /* we must add conntrack extensions before confirmation. */
+ ct->status |= IPS_CONFIRMED;
--- /dev/null
+From 2638fd0f92d4397884fd991d8f4925cb3f081901 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 3 Apr 2017 10:55:11 -0700
+Subject: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream.
+
+Denys provided an awesome KASAN report pointing to an use
+after free in xt_TCPMSS
+
+I have provided three patches to fix this issue, either in xt_TCPMSS or
+in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
+impact.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_TCPMSS.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/xt_TCPMSS.c
++++ b/net/netfilter/xt_TCPMSS.c
+@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb
+ tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+ tcp_hdrlen = tcph->doff * 4;
+
+- if (len < tcp_hdrlen)
++ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
+ return -1;
+
+ if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
+@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb
+ if (len > tcp_hdrlen)
+ return 0;
+
++ /* tcph->doff has 4 bits, do not wrap it to 0 */
++ if (tcp_hdrlen >= 15 * 4)
++ return 0;
++
+ /*
+ * MSS Option not found ?! add it..
+ */
xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch
ipv6-release-dst-on-error-in-ip6_dst_lookup_tail.patch
+netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch
+netfilter-synproxy-fix-conntrackd-interaction.patch
+net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch
+decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch
+fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch
+net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch
+igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch
+igmp-add-a-missing-spin_lock_init.patch
+ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch
+decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch
+net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
