--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Petr Machata <petrm@mellanox.com>
+Date: Sun, 17 Feb 2019 07:18:41 +0000
+Subject: mlxsw: __mlxsw_sp_port_headroom_set(): Fix a use of local variable
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit 289460404f6947ef1c38e67d680be9a84161250b ]
+
+The function-local variable "delay" enters the loop interpreted as delay
+in bits. However, inside the loop it gets overwritten by the result of
+mlxsw_sp_pg_buf_delay_get(), and thus leaves the loop as quantity in
+cells. Thus on second and further loop iterations, the headroom for a
+given priority is configured with a wrong size.
+
+Fix by introducing a loop-local variable, delay_cells. Rename thres to
+thres_cells for consistency.
+
+Fixes: f417f04da589 ("mlxsw: spectrum: Refactor port buffer configuration")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -1161,8 +1161,9 @@ int __mlxsw_sp_port_headroom_set(struct
+ for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) {
+ bool configure = false;
+ bool pfc = false;
++ u16 thres_cells;
++ u16 delay_cells;
+ bool lossy;
+- u16 thres;
+
+ for (j = 0; j < IEEE_8021QAZ_MAX_TCS; j++) {
+ if (prio_tc[j] == i) {
+@@ -1176,10 +1177,11 @@ int __mlxsw_sp_port_headroom_set(struct
+ continue;
+
+ lossy = !(pfc || pause_en);
+- thres = mlxsw_sp_pg_buf_threshold_get(mlxsw_sp, mtu);
+- delay = mlxsw_sp_pg_buf_delay_get(mlxsw_sp, mtu, delay, pfc,
+- pause_en);
+- mlxsw_sp_pg_buf_pack(pbmc_pl, i, thres + delay, thres, lossy);
++ thres_cells = mlxsw_sp_pg_buf_threshold_get(mlxsw_sp, mtu);
++ delay_cells = mlxsw_sp_pg_buf_delay_get(mlxsw_sp, mtu, delay,
++ pfc, pause_en);
++ mlxsw_sp_pg_buf_pack(pbmc_pl, i, thres_cells + delay_cells,
++ thres_cells, lossy);
+ }
+
+ return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(pbmc), pbmc_pl);
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: "David S. Miller" <davem@davemloft.net>
+Date: Sat, 16 Feb 2019 13:44:39 -0800
+Subject: net: Add header for usage of fls64()
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit 8681ef1f3d295bd3600315325f3b3396d76d02f6 ]
+
+Fixes: 3b89ea9c5902 ("net: Fix for_each_netdev_feature on Big endian")
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdev_features.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/netdev_features.h
++++ b/include/linux/netdev_features.h
+@@ -11,6 +11,7 @@
+ #define _LINUX_NETDEV_FEATURES_H
+
+ #include <linux/types.h>
++#include <linux/bitops.h>
+ #include <asm/byteorder.h>
+
+ typedef u64 netdev_features_t;
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Mao Wenan <maowenan@huawei.com>
+Date: Mon, 18 Feb 2019 10:44:44 +0800
+Subject: net: crypto set sk to NULL when af_alg_release.
+
+From: Mao Wenan <maowenan@huawei.com>
+
+[ Upstream commit 9060cb719e61b685ec0102574e10337fa5f445ea ]
+
+KASAN has found use-after-free in sockfs_setattr.
+The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close()
+and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
+that crypto module forgets to set the sk to NULL after af_alg_release.
+
+KASAN report details as below:
+BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
+Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
+
+CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ dump_stack+0xca/0x13e
+ print_address_description+0x79/0x330
+ ? vprintk_func+0x5e/0xf0
+ kasan_report+0x18a/0x2e0
+ ? sockfs_setattr+0x120/0x150
+ sockfs_setattr+0x120/0x150
+ ? sock_register+0x2d0/0x2d0
+ notify_change+0x90c/0xd40
+ ? chown_common+0x2ef/0x510
+ chown_common+0x2ef/0x510
+ ? chmod_common+0x3b0/0x3b0
+ ? __lock_is_held+0xbc/0x160
+ ? __sb_start_write+0x13d/0x2b0
+ ? __mnt_want_write+0x19a/0x250
+ do_fchownat+0x15c/0x190
+ ? __ia32_sys_chmod+0x80/0x80
+ ? trace_hardirqs_on_thunk+0x1a/0x1c
+ __x64_sys_fchownat+0xbf/0x160
+ ? lockdep_hardirqs_on+0x39a/0x5e0
+ do_syscall_64+0xc8/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462589
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
+f7 48 89 d6 48 89
+ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
+48 c7 c1 bc ff ff
+ff f7 d8 64 89 01 48
+RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
+RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
+RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
+RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
+R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
+
+Allocated by task 4185:
+ kasan_kmalloc+0xa0/0xd0
+ __kmalloc+0x14a/0x350
+ sk_prot_alloc+0xf6/0x290
+ sk_alloc+0x3d/0xc00
+ af_alg_accept+0x9e/0x670
+ hash_accept+0x4a3/0x650
+ __sys_accept4+0x306/0x5c0
+ __x64_sys_accept4+0x98/0x100
+ do_syscall_64+0xc8/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 4184:
+ __kasan_slab_free+0x12e/0x180
+ kfree+0xeb/0x2f0
+ __sk_destruct+0x4e6/0x6a0
+ sk_destruct+0x48/0x70
+ __sk_free+0xa9/0x270
+ sk_free+0x2a/0x30
+ af_alg_release+0x5c/0x70
+ __sock_release+0xd3/0x280
+ sock_close+0x1a/0x20
+ __fput+0x27f/0x7f0
+ task_work_run+0x136/0x1b0
+ exit_to_usermode_loop+0x1a7/0x1d0
+ do_syscall_64+0x461/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Syzkaller reproducer:
+r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
+0xffffffffffffffff, 0x0)
+r1 = socket$alg(0x26, 0x5, 0x0)
+getrusage(0x0, 0x0)
+bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
+'sha256-ssse3\x00'}, 0x80)
+r2 = accept(r1, 0x0, 0x0)
+r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
+r4 = dup3(r3, r0, 0x0)
+fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
+
+Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()")
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -122,8 +122,10 @@ static void alg_do_release(const struct
+
+ int af_alg_release(struct socket *sock)
+ {
+- if (sock->sk)
++ if (sock->sk) {
+ sock_put(sock->sk);
++ sock->sk = NULL;
++ }
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(af_alg_release);
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Date: Fri, 15 Feb 2019 14:44:18 -0800
+Subject: net: Do not allocate page fragments that are not skb aligned
+
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+
+[ Upstream commit 3bed3cc4156eedf652b4df72bdb35d4f1a2a739d ]
+
+This patch addresses the fact that there are drivers, specifically tun,
+that will call into the network page fragment allocators with buffer sizes
+that are not cache aligned. Doing this could result in data alignment
+and DMA performance issues as these fragment pools are also shared with the
+skb allocator and any other devices that will use napi_alloc_frags or
+netdev_alloc_frags.
+
+Fixes: ffde7328a36d ("net: Split netdev_alloc_frag into __alloc_page_frag and add __napi_alloc_frag")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -353,6 +353,8 @@ static void *__netdev_alloc_frag(unsigne
+ */
+ void *netdev_alloc_frag(unsigned int fragsz)
+ {
++ fragsz = SKB_DATA_ALIGN(fragsz);
++
+ return __netdev_alloc_frag(fragsz, GFP_ATOMIC | __GFP_COLD);
+ }
+ EXPORT_SYMBOL(netdev_alloc_frag);
+@@ -366,6 +368,8 @@ static void *__napi_alloc_frag(unsigned
+
+ void *napi_alloc_frag(unsigned int fragsz)
+ {
++ fragsz = SKB_DATA_ALIGN(fragsz);
++
+ return __napi_alloc_frag(fragsz, GFP_ATOMIC | __GFP_COLD);
+ }
+ EXPORT_SYMBOL(napi_alloc_frag);
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Hauke Mehrtens <hauke.mehrtens@intel.com>
+Date: Fri, 15 Feb 2019 17:58:54 +0100
+Subject: net: Fix for_each_netdev_feature on Big endian
+
+From: Hauke Mehrtens <hauke.mehrtens@intel.com>
+
+[ Upstream commit 3b89ea9c5902acccdbbdec307c85edd1bf52515e ]
+
+The features attribute is of type u64 and stored in the native endianes on
+the system. The for_each_set_bit() macro takes a pointer to a 32 bit array
+and goes over the bits in this area. On little Endian systems this also
+works with an u64 as the most significant bit is on the highest address,
+but on big endian the words are swapped. When we expect bit 15 here we get
+bit 47 (15 + 32).
+
+This patch converts it more or less to its own for_each_set_bit()
+implementation which works on 64 bit integers directly. This is then
+completely in host endianness and should work like expected.
+
+Fixes: fd867d51f ("net/core: generic support for disabling netdev features down stack")
+Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdev_features.h | 23 +++++++++++++++++++++--
+ net/core/dev.c | 4 ++--
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+--- a/include/linux/netdev_features.h
++++ b/include/linux/netdev_features.h
+@@ -11,6 +11,7 @@
+ #define _LINUX_NETDEV_FEATURES_H
+
+ #include <linux/types.h>
++#include <asm/byteorder.h>
+
+ typedef u64 netdev_features_t;
+
+@@ -143,8 +144,26 @@ enum {
+ #define NETIF_F_HW_ESP_TX_CSUM __NETIF_F(HW_ESP_TX_CSUM)
+ #define NETIF_F_RX_UDP_TUNNEL_PORT __NETIF_F(RX_UDP_TUNNEL_PORT)
+
+-#define for_each_netdev_feature(mask_addr, bit) \
+- for_each_set_bit(bit, (unsigned long *)mask_addr, NETDEV_FEATURE_COUNT)
++/* Finds the next feature with the highest number of the range of start till 0.
++ */
++static inline int find_next_netdev_feature(u64 feature, unsigned long start)
++{
++ /* like BITMAP_LAST_WORD_MASK() for u64
++ * this sets the most significant 64 - start to 0.
++ */
++ feature &= ~0ULL >> (-start & ((sizeof(feature) * 8) - 1));
++
++ return fls64(feature) - 1;
++}
++
++/* This goes for the MSB to the LSB through the set feature bits,
++ * mask_addr should be a u64 and bit an int
++ */
++#define for_each_netdev_feature(mask_addr, bit) \
++ for ((bit) = find_next_netdev_feature((mask_addr), \
++ NETDEV_FEATURE_COUNT); \
++ (bit) >= 0; \
++ (bit) = find_next_netdev_feature((mask_addr), (bit) - 1))
+
+ /* Features valid for ethtool to change */
+ /* = all defined minus driver/device-class-related */
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -7260,7 +7260,7 @@ static netdev_features_t netdev_sync_upp
+ netdev_features_t feature;
+ int feature_bit;
+
+- for_each_netdev_feature(&upper_disables, feature_bit) {
++ for_each_netdev_feature(upper_disables, feature_bit) {
+ feature = __NETIF_F_BIT(feature_bit);
+ if (!(upper->wanted_features & feature)
+ && (features & feature)) {
+@@ -7280,7 +7280,7 @@ static void netdev_sync_lower_features(s
+ netdev_features_t feature;
+ int feature_bit;
+
+- for_each_netdev_feature(&upper_disables, feature_bit) {
++ for_each_netdev_feature(upper_disables, feature_bit) {
+ feature = __NETIF_F_BIT(feature_bit);
+ if (!(features & feature) && (lower->features & feature)) {
+ netdev_dbg(upper, "Disabling feature %pNF on lower dev %s.\n",
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Fri, 15 Feb 2019 17:17:08 +0100
+Subject: net: phy: xgmiitorgmii: Support generic PHY status read
+
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+
+[ Upstream commit 197f9ab7f08ce4b9ece662f747c3991b2f0fbb57 ]
+
+Some PHY drivers like the generic one do not provide a read_status
+callback on their own but rely on genphy_read_status being called
+directly.
+
+With the current code, this results in a NULL function pointer call.
+Call genphy_read_status instead when there is no specific callback.
+
+Fixes: f411a6160bd4 ("net: phy: Add gmiitorgmii converter support")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/xilinx_gmii2rgmii.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/xilinx_gmii2rgmii.c
++++ b/drivers/net/phy/xilinx_gmii2rgmii.c
+@@ -42,7 +42,10 @@ static int xgmiitorgmii_read_status(stru
+ u16 val = 0;
+ int err;
+
+- err = priv->phy_drv->read_status(phydev);
++ if (priv->phy_drv->read_status)
++ err = priv->phy_drv->read_status(phydev);
++ else
++ err = genphy_read_status(phydev);
+ if (err < 0)
+ return err;
+
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Jose Abreu <jose.abreu@synopsys.com>
+Date: Mon, 18 Feb 2019 14:35:03 +0100
+Subject: net: stmmac: Fix a race in EEE enable callback
+
+From: Jose Abreu <jose.abreu@synopsys.com>
+
+[ Upstream commit 8a7493e58ad688eb23b81e45461c5d314f4402f1 ]
+
+We are saving the status of EEE even before we try to enable it. This
+leads to a race with XMIT function that tries to arm EEE timer before we
+set it up.
+
+Fix this by only saving the EEE parameters after all operations are
+performed with success.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Fixes: d765955d2ae0 ("stmmac: add the Energy Efficient Ethernet support")
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 22 ++++++++++---------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -675,25 +675,27 @@ static int stmmac_ethtool_op_set_eee(str
+ struct ethtool_eee *edata)
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
++ int ret;
+
+- priv->eee_enabled = edata->eee_enabled;
+-
+- if (!priv->eee_enabled)
++ if (!edata->eee_enabled) {
+ stmmac_disable_eee_mode(priv);
+- else {
++ } else {
+ /* We are asking for enabling the EEE but it is safe
+ * to verify all by invoking the eee_init function.
+ * In case of failure it will return an error.
+ */
+- priv->eee_enabled = stmmac_eee_init(priv);
+- if (!priv->eee_enabled)
++ edata->eee_enabled = stmmac_eee_init(priv);
++ if (!edata->eee_enabled)
+ return -EOPNOTSUPP;
+-
+- /* Do not change tx_lpi_timer in case of failure */
+- priv->tx_lpi_timer = edata->tx_lpi_timer;
+ }
+
+- return phy_ethtool_set_eee(dev->phydev, edata);
++ ret = phy_ethtool_set_eee(dev->phydev, edata);
++ if (ret)
++ return ret;
++
++ priv->eee_enabled = edata->eee_enabled;
++ priv->tx_lpi_timer = edata->tx_lpi_timer;
++ return 0;
+ }
+
+ static u32 stmmac_usec2riwt(u32 usec, struct stmmac_priv *priv)
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Alexandre Torgue <alexandre.torgue@st.com>
+Date: Fri, 15 Feb 2019 10:49:09 +0100
+Subject: net: stmmac: handle endianness in dwmac4_get_timestamp
+
+From: Alexandre Torgue <alexandre.torgue@st.com>
+
+[ Upstream commit 224babd62d6f19581757a6d8bae3bf9501fc10de ]
+
+GMAC IP is little-endian and used on several kind of CPU (big or little
+endian). Main callbacks functions of the stmmac drivers take care about
+it. It was not the case for dwmac4_get_timestamp function.
+
+Fixes: ba1ffd74df74 ("stmmac: fix PTP support for GMAC4")
+Signed-off-by: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
+@@ -238,15 +238,18 @@ static inline u64 dwmac4_get_timestamp(v
+ static int dwmac4_rx_check_timestamp(void *desc)
+ {
+ struct dma_desc *p = (struct dma_desc *)desc;
++ unsigned int rdes0 = le32_to_cpu(p->des0);
++ unsigned int rdes1 = le32_to_cpu(p->des1);
++ unsigned int rdes3 = le32_to_cpu(p->des3);
+ u32 own, ctxt;
+ int ret = 1;
+
+- own = p->des3 & RDES3_OWN;
+- ctxt = ((p->des3 & RDES3_CONTEXT_DESCRIPTOR)
++ own = rdes3 & RDES3_OWN;
++ ctxt = ((rdes3 & RDES3_CONTEXT_DESCRIPTOR)
+ >> RDES3_CONTEXT_DESCRIPTOR_SHIFT);
+
+ if (likely(!own && ctxt)) {
+- if ((p->des0 == 0xffffffff) && (p->des1 == 0xffffffff))
++ if ((rdes0 == 0xffffffff) && (rdes1 == 0xffffffff))
+ /* Corrupted value */
+ ret = -EINVAL;
+ else
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 15 Feb 2019 12:15:47 -0500
+Subject: net: validate untrusted gso packets without csum offload
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit d5be7f632bad0f489879eed0ff4b99bd7fe0b74c ]
+
+Syzkaller again found a path to a kernel crash through bad gso input.
+By building an excessively large packet to cause an skb field to wrap.
+
+If VIRTIO_NET_HDR_F_NEEDS_CSUM was set this would have been dropped in
+skb_partial_csum_set.
+
+GSO packets that do not set checksum offload are suspicious and rare.
+Most callers of virtio_net_hdr_to_skb already pass them to
+skb_probe_transport_header.
+
+Move that test forward, change it to detect parse failure and drop
+packets on failure as those cleary are not one of the legitimate
+VIRTIO_NET_HDR_GSO types.
+
+Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
+Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 2 +-
+ include/linux/virtio_net.h | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2377,7 +2377,7 @@ static inline void skb_probe_transport_h
+ return;
+ else if (skb_flow_dissect_flow_keys(skb, &keys, 0))
+ skb_set_transport_header(skb, keys.control.thoff);
+- else
++ else if (offset_hint >= 0)
+ skb_set_transport_header(skb, offset_hint);
+ }
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -57,6 +57,15 @@ static inline int virtio_net_hdr_to_skb(
+
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
++ } else {
++ /* gso packets without NEEDS_CSUM do not set transport_offset.
++ * probe and drop if does not match one of the above types.
++ */
++ if (gso_type) {
++ skb_probe_transport_header(skb, -1);
++ if (!skb_transport_header_was_set(skb))
++ return -EINVAL;
++ }
+ }
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
vsock-cope-with-memory-allocation-failure-at-socket-.patch
vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch
hwmon-lm80-fix-missing-unlock-on-error-in-set_fan_di.patch
+mlxsw-__mlxsw_sp_port_headroom_set-fix-a-use-of-local-variable.patch
+net-crypto-set-sk-to-null-when-af_alg_release.patch
+net-fix-for_each_netdev_feature-on-big-endian.patch
+net-phy-xgmiitorgmii-support-generic-phy-status-read.patch
+net-stmmac-fix-a-race-in-eee-enable-callback.patch
+net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch
+net-validate-untrusted-gso-packets-without-csum-offload.patch
+sky2-increase-d3-delay-again.patch
+vhost-correctly-check-the-return-value-of-translate_desc-in-log_used.patch
+net-add-header-for-usage-of-fls64.patch
+tcp-tcp_v4_err-should-be-more-careful.patch
+net-do-not-allocate-page-fragments-that-are-not-skb-aligned.patch
+tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 19 Feb 2019 23:45:29 +0800
+Subject: sky2: Increase D3 delay again
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 1765f5dcd00963e33f1b8a4e0f34061fbc0e2f7f ]
+
+Another platform requires even longer delay to make the device work
+correctly after S3.
+
+So increase the delay to 300ms.
+
+BugLink: https://bugs.launchpad.net/bugs/1798921
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -5087,7 +5087,7 @@ static int sky2_probe(struct pci_dev *pd
+ INIT_WORK(&hw->restart_work, sky2_restart);
+
+ pci_set_drvdata(pdev, hw);
+- pdev->d3_delay = 200;
++ pdev->d3_delay = 300;
+
+ return 0;
+
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 15 Feb 2019 13:36:20 -0800
+Subject: tcp: clear icsk_backoff in tcp_write_queue_purge()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 04c03114be82194d4a4858d41dba8e286ad1787c ]
+
+soukjin bae reported a crash in tcp_v4_err() handling
+ICMP_DEST_UNREACH after tcp_write_queue_head(sk)
+returned a NULL pointer.
+
+Current logic should have prevented this :
+
+ if (seq != tp->snd_una || !icsk->icsk_retransmits ||
+ !icsk->icsk_backoff || fastopen)
+ break;
+
+Problem is the write queue might have been purged
+and icsk_backoff has not been cleared.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: soukjin bae <soukjin.bae@samsung.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 1 +
+ net/ipv4/tcp.c | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1622,6 +1622,7 @@ static inline void tcp_write_queue_purge
+ tcp_clear_all_retrans_hints(tcp_sk(sk));
+ tcp_init_send_head(sk);
+ tcp_sk(sk)->packets_out = 0;
++ inet_csk(sk)->icsk_backoff = 0;
+ }
+
+ static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk)
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2347,7 +2347,6 @@ int tcp_disconnect(struct sock *sk, int
+ tp->write_seq += tp->max_window + 2;
+ if (tp->write_seq == 0)
+ tp->write_seq = 1;
+- icsk->icsk_backoff = 0;
+ tp->snd_cwnd = 2;
+ icsk->icsk_probes_out = 0;
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 15 Feb 2019 13:36:21 -0800
+Subject: tcp: tcp_v4_err() should be more careful
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2c4cc9712364c051b1de2d175d5fbea6be948ebf ]
+
+ICMP handlers are not very often stressed, we should
+make them more resilient to bugs that might surface in
+the future.
+
+If there is no packet in retransmit queue, we should
+avoid a NULL deref.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: soukjin bae <soukjin.bae@samsung.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ipv4.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -475,14 +475,15 @@ void tcp_v4_err(struct sk_buff *icmp_skb
+ if (sock_owned_by_user(sk))
+ break;
+
++ skb = tcp_write_queue_head(sk);
++ if (WARN_ON_ONCE(!skb))
++ break;
++
+ icsk->icsk_backoff--;
+ icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) :
+ TCP_TIMEOUT_INIT;
+ icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
+
+- skb = tcp_write_queue_head(sk);
+- BUG_ON(!skb);
+-
+ tcp_mstamp_refresh(tp);
+ delta_us = (u32)(tp->tcp_mstamp - skb->skb_mstamp);
+ remaining = icsk->icsk_rto -
--- /dev/null
+From foo@baz Thu Feb 21 07:26:37 CET 2019
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 19 Feb 2019 14:53:44 +0800
+Subject: vhost: correctly check the return value of translate_desc() in log_used()
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 816db7663565cd23f74ed3d5c9240522e3fb0dda ]
+
+When fail, translate_desc() returns negative value, otherwise the
+number of iovs. So we should fail when the return value is negative
+instead of a blindly check against zero.
+
+Detected by CoverityScan, CID# 1442593: Control flow issues (DEADCODE)
+
+Fixes: cc5e71075947 ("vhost: log dirty page correctly")
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reported-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1776,7 +1776,7 @@ static int log_used(struct vhost_virtque
+
+ ret = translate_desc(vq, (uintptr_t)vq->used + used_offset,
+ len, iov, 64, VHOST_ACCESS_WO);
+- if (ret)
++ if (ret < 0)
+ return ret;
+
+ for (i = 0; i < ret; i++) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
