--- /dev/null
+From foo@baz Tue Jun 12 18:27:14 CEST 2018
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Wed, 6 Jun 2018 15:03:22 +0200
+Subject: bnx2x: use the right constant
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit dd612f18a49b63af8b3a5f572d999bdb197385bc ]
+
+Nearby code that also tests port suggests that the P0 constant should be
+used when port is zero.
+
+The semantic match that finds this problem is as follows:
+(http://coccinelle.lip6.fr/)
+
+// <smpl>
+@@
+expression e,e1;
+@@
+
+* e ? e1 : e1
+// </smpl>
+
+Fixes: 6c3218c6f7e5 ("bnx2x: Adjust ETS to 578xx")
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+@@ -588,7 +588,7 @@ static void bnx2x_ets_e3b0_nig_disabled(
+ * slots for the highest priority.
+ */
+ REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS :
+- NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
++ NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
+ /* Mapping between the CREDIT_WEIGHT registers and actual client
+ * numbers
+ */
--- /dev/null
+From foo@baz Tue Jun 12 18:27:14 CEST 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Mon, 21 May 2018 19:28:44 +0300
+Subject: dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+[ Upstream commit 2677d20677314101293e6da0094ede7b5526d2b1 ]
+
+Syzbot reported the use-after-free in timer_is_static_object() [1].
+
+This can happen because the structure for the rto timer (ccid2_hc_tx_sock)
+is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be
+called after that.
+
+The report [1] is similar to the one in commit 120e9dabaf55 ("dccp:
+defer ccid_hc_tx_delete() at dismantle time"). And the fix is the same,
+delay freeing ccid2_hc_tx_sock structure, so that it is freed in
+dccp_sk_destruct().
+
+[1]
+
+==================================================================
+BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90
+kernel/time/timer.c:607
+Read of size 8 at addr ffff8801bebb5118 by task syz-executor2/25299
+
+CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
+ timer_is_static_object+0x80/0x90 kernel/time/timer.c:607
+ debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508
+ debug_timer_activate kernel/time/timer.c:709 [inline]
+ debug_activate kernel/time/timer.c:764 [inline]
+ __mod_timer kernel/time/timer.c:1041 [inline]
+ mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102
+ sk_reset_timer+0x22/0x60 net/core/sock.c:2742
+ ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147
+ call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
+ expire_timers kernel/time/timer.c:1363 [inline]
+ __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
+ run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
+ __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1d1/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:525 [inline]
+ smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
+ </IRQ>
+...
+Allocated by task 25374:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
+ kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
+ ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
+ dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
+ __dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344
+ dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538
+ dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128
+ dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408
+ dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415
+ dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197
+ dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841
+ ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
+ dst_input include/net/dst.h:450 [inline]
+ ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
+ __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
+ process_backlog+0x219/0x760 net/core/dev.c:5337
+ napi_poll net/core/dev.c:5735 [inline]
+ net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
+ __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
+
+Freed by task 25374:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
+ ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190
+ dccp_disconnect+0x130/0xc66 net/dccp/proto.c:286
+ dccp_close+0x3bc/0xe60 net/dccp/proto.c:1045
+ inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
+ inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
+ sock_release+0x96/0x1b0 net/socket.c:594
+ sock_close+0x16/0x20 net/socket.c:1149
+ __fput+0x34d/0x890 fs/file_table.c:209
+ ____fput+0x15/0x20 fs/file_table.c:243
+ task_work_run+0x1e4/0x290 kernel/task_work.c:113
+ tracehook_notify_resume include/linux/tracehook.h:191 [inline]
+ exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
+ prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
+ do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8801bebb4cc0
+ which belongs to the cache ccid2_hc_tx_sock of size 1240
+The buggy address is located 1112 bytes inside of
+ 1240-byte region [ffff8801bebb4cc0, ffff8801bebb5198)
+The buggy address belongs to the page:
+page:ffffea0006faed00 count:1 mapcount:0 mapping:ffff8801bebb41c0
+index:0xffff8801bebb5240 compound_mapcount: 0
+flags: 0x2fffc0000008100(slab|head)
+raw: 02fffc0000008100 ffff8801bebb41c0 ffff8801bebb5240 0000000100000003
+raw: ffff8801cdba3138 ffffea0007634120 ffff8801cdbaab40 0000000000000000
+page dumped because: kasan: bad access detected
+...
+==================================================================
+
+Reported-by: syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/proto.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -280,9 +280,7 @@ int dccp_disconnect(struct sock *sk, int
+
+ dccp_clear_xmit_timers(sk);
+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
+- ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
+ dp->dccps_hc_rx_ccid = NULL;
+- dp->dccps_hc_tx_ccid = NULL;
+
+ __skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_write_queue);
--- /dev/null
+From foo@baz Tue Jun 12 18:27:14 CEST 2018
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Wed, 23 May 2018 11:17:39 -0700
+Subject: enic: set DMA mask to 47 bit
+
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+
+[ Upstream commit 322eaa06d55ebc1402a4a8d140945cff536638b4 ]
+
+In commit 624dbf55a359b ("driver/net: enic: Try DMA 64 first, then
+failover to DMA") DMA mask was changed from 40 bits to 64 bits.
+Hardware actually supports only 47 bits.
+
+Fixes: 624dbf55a359b ("driver/net: enic: Try DMA 64 first, then failover to DMA")
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -2362,11 +2362,11 @@ static int enic_probe(struct pci_dev *pd
+ pci_set_master(pdev);
+
+ /* Query PCI controller on system for DMA addressing
+- * limitation for the device. Try 64-bit first, and
++ * limitation for the device. Try 47-bit first, and
+ * fail to 32-bit.
+ */
+
+- err = pci_set_dma_mask(pdev, DMA_BIT_MASK(64));
++ err = pci_set_dma_mask(pdev, DMA_BIT_MASK(47));
+ if (err) {
+ err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32));
+ if (err) {
+@@ -2380,10 +2380,10 @@ static int enic_probe(struct pci_dev *pd
+ goto err_out_release_regions;
+ }
+ } else {
+- err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64));
++ err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(47));
+ if (err) {
+ dev_err(dev, "Unable to obtain %u-bit DMA "
+- "for consistent allocations, aborting\n", 64);
++ "for consistent allocations, aborting\n", 47);
+ goto err_out_release_regions;
+ }
+ using_dac = 1;
--- /dev/null
+From foo@baz Tue Jun 12 18:27:14 CEST 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Tue, 5 Jun 2018 15:01:59 +0200
+Subject: ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 848235edb5c93ed086700584c8ff64f6d7fc778d ]
+
+Currently, raw6_sk(sk)->ip6mr_table is set unconditionally during
+ip6_mroute_setsockopt(MRT6_TABLE). A subsequent attempt at the same
+setsockopt will fail with -ENOENT, since we haven't actually created
+that table.
+
+A similar fix for ipv4 was included in commit 5e1859fbcc3c ("ipv4: ipmr:
+various fixes and cleanups").
+
+Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -1788,7 +1788,8 @@ int ip6_mroute_setsockopt(struct sock *s
+ ret = 0;
+ if (!ip6mr_new_table(net, v))
+ ret = -ENOMEM;
+- raw6_sk(sk)->ip6mr_table = v;
++ else
++ raw6_sk(sk)->ip6mr_table = v;
+ rtnl_unlock();
+ return ret;
+ }
--- /dev/null
+From foo@baz Tue Jun 12 18:27:14 CEST 2018
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Mon, 21 May 2018 01:58:07 -0500
+Subject: isdn: eicon: fix a missing-check bug
+
+From: Wenwen Wang <wang6495@umn.edu>
+
+[ Upstream commit 6009d1fe6ba3bb2dab55921da60465329cc1cd89 ]
+
+In divasmain.c, the function divas_write() firstly invokes the function
+diva_xdi_open_adapter() to open the adapter that matches with the adapter
+number provided by the user, and then invokes the function diva_xdi_write()
+to perform the write operation using the matched adapter. The two functions
+diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c.
+
+In diva_xdi_open_adapter(), the user command is copied to the object 'msg'
+from the userspace pointer 'src' through the function pointer 'cp_fn',
+which eventually calls copy_from_user() to do the copy. Then, the adapter
+number 'msg.adapter' is used to find out a matched adapter from the
+'adapter_queue'. A matched adapter will be returned if it is found.
+Otherwise, NULL is returned to indicate the failure of the verification on
+the adapter number.
+
+As mentioned above, if a matched adapter is returned, the function
+diva_xdi_write() is invoked to perform the write operation. In this
+function, the user command is copied once again from the userspace pointer
+'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as
+both of them are from the 'buf' pointer in divas_write(). Similarly, the
+copy is achieved through the function pointer 'cp_fn', which finally calls
+copy_from_user(). After the successful copy, the corresponding command
+processing handler of the matched adapter is invoked to perform the write
+operation.
+
+It is obvious that there are two copies here from userspace, one is in
+diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of
+these two copies share the same source userspace pointer, i.e., the 'buf'
+pointer in divas_write(). Given that a malicious userspace process can race
+to change the content pointed by the 'buf' pointer, this can pose potential
+security issues. For example, in the first copy, the user provides a valid
+adapter number to pass the verification process and a valid adapter can be
+found. Then the user can modify the adapter number to an invalid number.
+This way, the user can bypass the verification process of the adapter
+number and inject inconsistent data.
+
+This patch reuses the data copied in
+diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
+above issues can be avoided.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/hardware/eicon/diva.c | 22 +++++++++++++++-------
+ drivers/isdn/hardware/eicon/diva.h | 5 +++--
+ drivers/isdn/hardware/eicon/divasmain.c | 18 +++++++++++-------
+ 3 files changed, 29 insertions(+), 16 deletions(-)
+
+--- a/drivers/isdn/hardware/eicon/diva.c
++++ b/drivers/isdn/hardware/eicon/diva.c
+@@ -387,10 +387,10 @@ void divasa_xdi_driver_unload(void)
+ ** Receive and process command from user mode utility
+ */
+ void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
+- int length,
++ int length, void *mptr,
+ divas_xdi_copy_from_user_fn_t cp_fn)
+ {
+- diva_xdi_um_cfg_cmd_t msg;
++ diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
+ diva_os_xdi_adapter_t *a = NULL;
+ diva_os_spin_lock_magic_t old_irql;
+ struct list_head *tmp;
+@@ -400,21 +400,21 @@ void *diva_xdi_open_adapter(void *os_han
+ length, sizeof(diva_xdi_um_cfg_cmd_t)))
+ return NULL;
+ }
+- if ((*cp_fn) (os_handle, &msg, src, sizeof(msg)) <= 0) {
++ if ((*cp_fn) (os_handle, msg, src, sizeof(*msg)) <= 0) {
+ DBG_ERR(("A: A(?) open, write error"))
+ return NULL;
+ }
+ diva_os_enter_spin_lock(&adapter_lock, &old_irql, "open_adapter");
+ list_for_each(tmp, &adapter_queue) {
+ a = list_entry(tmp, diva_os_xdi_adapter_t, link);
+- if (a->controller == (int)msg.adapter)
++ if (a->controller == (int)msg->adapter)
+ break;
+ a = NULL;
+ }
+ diva_os_leave_spin_lock(&adapter_lock, &old_irql, "open_adapter");
+
+ if (!a) {
+- DBG_ERR(("A: A(%d) open, adapter not found", msg.adapter))
++ DBG_ERR(("A: A(%d) open, adapter not found", msg->adapter))
+ }
+
+ return (a);
+@@ -436,8 +436,10 @@ void diva_xdi_close_adapter(void *adapte
+
+ int
+ diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
+- int length, divas_xdi_copy_from_user_fn_t cp_fn)
++ int length, void *mptr,
++ divas_xdi_copy_from_user_fn_t cp_fn)
+ {
++ diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
+ diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter;
+ void *data;
+
+@@ -458,7 +460,13 @@ diva_xdi_write(void *adapter, void *os_h
+ return (-2);
+ }
+
+- length = (*cp_fn) (os_handle, data, src, length);
++ if (msg) {
++ *(diva_xdi_um_cfg_cmd_t *)data = *msg;
++ length = (*cp_fn) (os_handle, (char *)data + sizeof(*msg),
++ src + sizeof(*msg), length - sizeof(*msg));
++ } else {
++ length = (*cp_fn) (os_handle, data, src, length);
++ }
+ if (length > 0) {
+ if ((*(a->interface.cmd_proc))
+ (a, (diva_xdi_um_cfg_cmd_t *) data, length)) {
+--- a/drivers/isdn/hardware/eicon/diva.h
++++ b/drivers/isdn/hardware/eicon/diva.h
+@@ -19,10 +19,11 @@ int diva_xdi_read(void *adapter, void *o
+ int max_length, divas_xdi_copy_to_user_fn_t cp_fn);
+
+ int diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
+- int length, divas_xdi_copy_from_user_fn_t cp_fn);
++ int length, void *msg,
++ divas_xdi_copy_from_user_fn_t cp_fn);
+
+ void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
+- int length,
++ int length, void *msg,
+ divas_xdi_copy_from_user_fn_t cp_fn);
+
+ void diva_xdi_close_adapter(void *adapter, void *os_handle);
+--- a/drivers/isdn/hardware/eicon/divasmain.c
++++ b/drivers/isdn/hardware/eicon/divasmain.c
+@@ -591,19 +591,22 @@ static int divas_release(struct inode *i
+ static ssize_t divas_write(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
++ diva_xdi_um_cfg_cmd_t msg;
+ int ret = -EINVAL;
+
+ if (!file->private_data) {
+ file->private_data = diva_xdi_open_adapter(file, buf,
+- count,
++ count, &msg,
+ xdi_copy_from_user);
+- }
+- if (!file->private_data) {
+- return (-ENODEV);
++ if (!file->private_data)
++ return (-ENODEV);
++ ret = diva_xdi_write(file->private_data, file,
++ buf, count, &msg, xdi_copy_from_user);
++ } else {
++ ret = diva_xdi_write(file->private_data, file,
++ buf, count, NULL, xdi_copy_from_user);
+ }
+
+- ret = diva_xdi_write(file->private_data, file,
+- buf, count, xdi_copy_from_user);
+ switch (ret) {
+ case -1: /* Message should be removed from rx mailbox first */
+ ret = -EBUSY;
+@@ -622,11 +625,12 @@ static ssize_t divas_write(struct file *
+ static ssize_t divas_read(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+ {
++ diva_xdi_um_cfg_cmd_t msg;
+ int ret = -EINVAL;
+
+ if (!file->private_data) {
+ file->private_data = diva_xdi_open_adapter(file, buf,
+- count,
++ count, &msg,
+ xdi_copy_from_user);
+ }
+ if (!file->private_data) {
--- /dev/null
+From foo@baz Tue Jun 12 18:27:14 CEST 2018
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 23 May 2018 10:41:59 +0300
+Subject: net/mlx4: Fix irq-unsafe spinlock usage
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit d546b67cda015fb92bfee93d5dc0ceadb91deaee ]
+
+spin_lock/unlock was used instead of spin_un/lock_irq
+in a procedure used in process space, on a spinlock
+which can be grabbed in an interrupt.
+
+This caused the stack trace below to be displayed (on kernel
+4.17.0-rc1 compiled with Lock Debugging enabled):
+
+[ 154.661474] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
+[ 154.668909] 4.17.0-rc1-rdma_rc_mlx+ #3 Tainted: G I
+[ 154.675856] -----------------------------------------------------
+[ 154.682706] modprobe/10159 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
+[ 154.690254] 00000000f3b0e495 (&(&qp_table->lock)->rlock){+.+.}, at: mlx4_qp_remove+0x20/0x50 [mlx4_core]
+[ 154.700927]
+and this task is already holding:
+[ 154.707461] 0000000094373b5d (&(&cq->lock)->rlock/1){....}, at: destroy_qp_common+0x111/0x560 [mlx4_ib]
+[ 154.718028] which would create a new lock dependency:
+[ 154.723705] (&(&cq->lock)->rlock/1){....} -> (&(&qp_table->lock)->rlock){+.+.}
+[ 154.731922]
+but this new dependency connects a SOFTIRQ-irq-safe lock:
+[ 154.740798] (&(&cq->lock)->rlock){..-.}
+[ 154.740800]
+... which became SOFTIRQ-irq-safe at:
+[ 154.752163] _raw_spin_lock_irqsave+0x3e/0x50
+[ 154.757163] mlx4_ib_poll_cq+0x36/0x900 [mlx4_ib]
+[ 154.762554] ipoib_tx_poll+0x4a/0xf0 [ib_ipoib]
+...
+to a SOFTIRQ-irq-unsafe lock:
+[ 154.815603] (&(&qp_table->lock)->rlock){+.+.}
+[ 154.815604]
+... which became SOFTIRQ-irq-unsafe at:
+[ 154.827718] ...
+[ 154.827720] _raw_spin_lock+0x35/0x50
+[ 154.833912] mlx4_qp_lookup+0x1e/0x50 [mlx4_core]
+[ 154.839302] mlx4_flow_attach+0x3f/0x3d0 [mlx4_core]
+
+Since mlx4_qp_lookup() is called only in process space, we can
+simply replace the spin_un/lock calls with spin_un/lock_irq calls.
+
+Fixes: 6dc06c08bef1 ("net/mlx4: Fix the check in attaching steering rules")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/qp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
+@@ -363,11 +363,11 @@ struct mlx4_qp *mlx4_qp_lookup(struct ml
+ struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table;
+ struct mlx4_qp *qp;
+
+- spin_lock(&qp_table->lock);
++ spin_lock_irq(&qp_table->lock);
+
+ qp = __mlx4_qp_lookup(dev, qpn);
+
+- spin_unlock(&qp_table->lock);
++ spin_unlock_irq(&qp_table->lock);
+ return qp;
+ }
+
--- /dev/null
+From foo@baz Tue Jun 12 18:27:14 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 1 Jun 2018 09:23:02 -0700
+Subject: net/packet: refine check for priv area size
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ]
+
+syzbot was able to trick af_packet again [1]
+
+Various commits tried to address the problem in the past,
+but failed to take into account V3 header size.
+
+[1]
+
+tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96
+BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
+BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
+Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106
+
+CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: ipv6_addrconf addrconf_dad_work
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436
+ prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
+ prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
+ __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline]
+ packet_current_rx_frame net/packet/af_packet.c:1117 [inline]
+ tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282
+ dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
+ xmit_one net/core/dev.c:3049 [inline]
+ dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
+ __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
+ neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358
+ neigh_output include/net/neighbour.h:482 [inline]
+ ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120
+ ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
+ NF_HOOK_COND include/linux/netfilter.h:277 [inline]
+ ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
+ dst_output include/net/dst.h:444 [inline]
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491
+ ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633
+ addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033
+ process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
+ worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
+ kthread+0x345/0x410 kernel/kthread.c:240
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
+
+The buggy address belongs to the page:
+page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80
+raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size")
+Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3")
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3877,7 +3877,7 @@ static int packet_set_ring(struct sock *
+ goto out;
+ if (po->tp_version >= TPACKET_V3 &&
+ req->tp_block_size <=
+- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
+ goto out;
+ if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ po->tp_reserve))
--- /dev/null
+From foo@baz Tue Jun 12 18:27:14 CEST 2018
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Thu, 31 May 2018 11:18:29 +0200
+Subject: net: usb: cdc_mbim: add flag FLAG_SEND_ZLP
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+[ Upstream commit 9f7c728332e8966084242fcd951aa46583bc308c ]
+
+Testing Telit LM940 with ICMP packets > 14552 bytes revealed that
+the modem needs FLAG_SEND_ZLP to properly work, otherwise the cdc
+mbim data interface won't be anymore responsive.
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_mbim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cdc_mbim.c
++++ b/drivers/net/usb/cdc_mbim.c
+@@ -550,7 +550,7 @@ err:
+
+ static const struct driver_info cdc_mbim_info = {
+ .description = "CDC MBIM",
+- .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN,
++ .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN | FLAG_SEND_ZLP,
+ .bind = cdc_mbim_bind,
+ .unbind = cdc_mbim_unbind,
+ .manage_power = cdc_mbim_manage_power,
--- /dev/null
+From foo@baz Tue Jun 12 11:38:32 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 5 Jun 2018 09:25:19 -0700
+Subject: rtnetlink: validate attributes in do_setlink()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 644c7eebbfd59e72982d11ec6cc7d39af12450ae ]
+
+It seems that rtnl_group_changelink() can call do_setlink
+while a prior call to validate_linkmsg(dev = NULL, ...) could
+not validate IFLA_ADDRESS / IFLA_BROADCAST
+
+Make sure do_setlink() calls validate_linkmsg() instead
+of letting its callers having this responsibility.
+
+With help from Dmitry Vyukov, thanks a lot !
+
+BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
+BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
+BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
+CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
+ __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
+ is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
+ eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
+ eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
+ dev_set_mac_address+0x261/0x530 net/core/dev.c:7157
+ do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317
+ rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
+ rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
+ rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
+ netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x455a09
+RSP: 002b:00007fc07480ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007fc07480f6d4 RCX: 0000000000455a09
+RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000014
+RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
+ kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
+ __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478
+ do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315
+ rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
+ rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
+ rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
+ netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
+ kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
+ slab_post_alloc_hook mm/slab.h:446 [inline]
+ slab_alloc_node mm/slub.c:2753 [inline]
+ __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:988 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: e7ed828f10bd ("netlink: support setting devgroup parameters")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1503,6 +1503,10 @@ static int do_setlink(const struct sk_bu
+ const struct net_device_ops *ops = dev->netdev_ops;
+ int err;
+
++ err = validate_linkmsg(dev, tb);
++ if (err < 0)
++ return err;
++
+ if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) {
+ struct net *net = rtnl_link_get_net(dev_net(dev), tb);
+ if (IS_ERR(net)) {
+@@ -1783,10 +1787,6 @@ static int rtnl_setlink(struct sk_buff *
+ goto errout;
+ }
+
+- err = validate_linkmsg(dev, tb);
+- if (err < 0)
+- goto errout;
+-
+ err = do_setlink(skb, dev, ifm, tb, ifname, 0);
+ errout:
+ return err;
mmap-introduce-sane-default-mmap-limits.patch
mmap-relax-file-size-limit-for-regular-files.patch
drm-set-fmode_unsigned_offset-for-drm-files.patch
+bnx2x-use-the-right-constant.patch
+dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dccp_disconnect.patch
+enic-set-dma-mask-to-47-bit.patch
+ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6mr_new_table-succeeds.patch
+isdn-eicon-fix-a-missing-check-bug.patch
+net-packet-refine-check-for-priv-area-size.patch
+net-usb-cdc_mbim-add-flag-flag_send_zlp.patch
+net-mlx4-fix-irq-unsafe-spinlock-usage.patch
+team-use-netdev_features_t-instead-of-u32.patch
+rtnetlink-validate-attributes-in-do_setlink.patch
--- /dev/null
+From foo@baz Tue Jun 12 18:19:32 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 4 Jun 2018 17:46:01 +0300
+Subject: team: use netdev_features_t instead of u32
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 25ea66544bfd1d9df1b7e1502f8717e85fa1e6e6 ]
+
+This code was introduced in 2011 around the same time that we made
+netdev_features_t a u64 type. These days a u32 is not big enough to
+hold all the potential features.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -989,7 +989,8 @@ static void team_port_disable(struct tea
+ static void __team_compute_features(struct team *team)
+ {
+ struct team_port *port;
+- u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL;
++ netdev_features_t vlan_features = TEAM_VLAN_FEATURES &
++ NETIF_F_ALL_FOR_ALL;
+ unsigned short max_hard_header_len = ETH_HLEN;
+ unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
+ IFF_XMIT_DST_RELEASE_PERM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
