--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 22 Apr 2018 19:11:50 +0800
+Subject: bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ddea788c63094f7c483783265563dd5b50052e28 ]
+
+After Commit 8a8efa22f51b ("bonding: sync netpoll code with bridge"), it
+would set slave_dev npinfo in slave_enable_netpoll when enslaving a dev
+if bond->dev->npinfo was set.
+
+However now slave_dev npinfo is set with bond->dev->npinfo before calling
+slave_enable_netpoll. With slave_dev npinfo set, __netpoll_setup called
+in slave_enable_netpoll will not call slave dev's .ndo_netpoll_setup().
+It causes that the lower dev of this slave dev can't set its npinfo.
+
+One way to reproduce it:
+
+ # modprobe bonding
+ # brctl addbr br0
+ # brctl addif br0 eth1
+ # ifconfig bond0 192.168.122.1/24 up
+ # ifenslave bond0 eth2
+ # systemctl restart netconsole
+ # ifenslave bond0 br0
+ # ifconfig eth2 down
+ # systemctl restart netconsole
+
+The netpoll won't really work.
+
+This patch is to remove that slave_dev npinfo setting in bond_enslave().
+
+Fixes: 8a8efa22f51b ("bonding: sync netpoll code with bridge")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1505,8 +1505,7 @@ int bond_enslave(struct net_device *bond
+ } /* switch(bond_mode) */
+
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+- slave_dev->npinfo = bond->dev->npinfo;
+- if (slave_dev->npinfo) {
++ if (bond->dev->npinfo) {
+ if (slave_enable_netpoll(new_slave)) {
+ netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n");
+ res = -EBUSY;
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 22 Apr 2018 18:29:23 -0700
+Subject: ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 ]
+
+KMSAN reported use of uninit-value that I tracked to lack
+of proper size check on RTA_TABLE attribute.
+
+I also believe RTA_PREFSRC lacks a similar check.
+
+Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config")
+Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2333,11 +2333,13 @@ void rt6_mtu_change(struct net_device *d
+
+ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
+ [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) },
++ [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) },
+ [RTA_OIF] = { .type = NLA_U32 },
+ [RTA_IIF] = { .type = NLA_U32 },
+ [RTA_PRIORITY] = { .type = NLA_U32 },
+ [RTA_METRICS] = { .type = NLA_NESTED },
+ [RTA_MULTIPATH] = { .len = sizeof(struct rtnexthop) },
++ [RTA_TABLE] = { .type = NLA_U32 },
+ };
+
+ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 17 Apr 2018 12:07:06 -0700
+Subject: KEYS: DNS: limit the length of option strings
+
+From: Eric Biggers <ebiggers@google.com>
+
+
+[ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ]
+
+Adding a dns_resolver key whose payload contains a very long option name
+resulted in that string being printed in full. This hit the WARN_ONCE()
+in set_precision() during the printk(), because printk() only supports a
+precision of up to 32767 bytes:
+
+ precision 1000000 too large
+ WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0
+
+Fix it by limiting option strings (combined name + value) to a much more
+reasonable 128 bytes. The exact limit is arbitrary, but currently the
+only recognized option is formatted as "dnserror=%lu" which fits well
+within this limit.
+
+Also ratelimit the printks.
+
+Reproducer:
+
+ perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s
+
+This bug was found using syzkaller.
+
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dns_resolver/dns_key.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -25,6 +25,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
++#include <linux/ratelimit.h>
+ #include <linux/kernel.h>
+ #include <linux/keyctl.h>
+ #include <linux/err.h>
+@@ -91,9 +92,9 @@ dns_resolver_preparse(struct key_prepars
+
+ next_opt = memchr(opt, '#', end - opt) ?: end;
+ opt_len = next_opt - opt;
+- if (!opt_len) {
+- printk(KERN_WARNING
+- "Empty option to dns_resolver key\n");
++ if (opt_len <= 0 || opt_len > 128) {
++ pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
++ opt_len);
+ return -EINVAL;
+ }
+
+@@ -127,10 +128,8 @@ dns_resolver_preparse(struct key_prepars
+ }
+
+ bad_option_value:
+- printk(KERN_WARNING
+- "Option '%*.*s' to dns_resolver key:"
+- " bad/missing value\n",
+- opt_nlen, opt_nlen, opt);
++ pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n",
++ opt_nlen, opt_nlen, opt);
+ return -EINVAL;
+ } while (opt = next_opt + 1, opt < end);
+ }
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 23 Apr 2018 16:15:14 +0200
+Subject: l2tp: check sockaddr length in pppol2tp_connect()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ]
+
+Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that
+it actually points to valid data.
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -608,6 +608,13 @@ static int pppol2tp_connect(struct socke
+ lock_sock(sk);
+
+ error = -EINVAL;
++
++ if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6))
++ goto end;
++
+ if (sp->sa_protocol != PX_PROTO_OL2TP)
+ goto end;
+
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 19 Apr 2018 12:25:38 -0700
+Subject: llc: delete timers synchronously in llc_sk_free()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit b905ef9ab90115d001c1658259af4b1c65088779 ]
+
+The connection timers of an llc sock could be still flying
+after we delete them in llc_sk_free(), and even possibly
+after we free the sock. We could just wait synchronously
+here in case of troubles.
+
+Note, I leave other call paths as they are, since they may
+not have to wait, at least we can change them to synchronously
+when needed.
+
+Also, move the code to net/llc/llc_conn.c, which is apparently
+a better place.
+
+Reported-by: <syzbot+f922284c18ea23a8e457@syzkaller.appspotmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/llc_conn.h | 1 +
+ net/llc/llc_c_ac.c | 9 +--------
+ net/llc/llc_conn.c | 22 +++++++++++++++++++++-
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+--- a/include/net/llc_conn.h
++++ b/include/net/llc_conn.h
+@@ -97,6 +97,7 @@ static __inline__ char llc_backlog_type(
+
+ struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority,
+ struct proto *prot);
++void llc_sk_stop_all_timers(struct sock *sk, bool sync);
+ void llc_sk_free(struct sock *sk);
+
+ void llc_sk_reset(struct sock *sk);
+--- a/net/llc/llc_c_ac.c
++++ b/net/llc/llc_c_ac.c
+@@ -1096,14 +1096,7 @@ int llc_conn_ac_inc_tx_win_size(struct s
+
+ int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb)
+ {
+- struct llc_sock *llc = llc_sk(sk);
+-
+- del_timer(&llc->pf_cycle_timer.timer);
+- del_timer(&llc->ack_timer.timer);
+- del_timer(&llc->rej_sent_timer.timer);
+- del_timer(&llc->busy_state_timer.timer);
+- llc->ack_must_be_send = 0;
+- llc->ack_pf = 0;
++ llc_sk_stop_all_timers(sk, false);
+ return 0;
+ }
+
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -951,6 +951,26 @@ out:
+ return sk;
+ }
+
++void llc_sk_stop_all_timers(struct sock *sk, bool sync)
++{
++ struct llc_sock *llc = llc_sk(sk);
++
++ if (sync) {
++ del_timer_sync(&llc->pf_cycle_timer.timer);
++ del_timer_sync(&llc->ack_timer.timer);
++ del_timer_sync(&llc->rej_sent_timer.timer);
++ del_timer_sync(&llc->busy_state_timer.timer);
++ } else {
++ del_timer(&llc->pf_cycle_timer.timer);
++ del_timer(&llc->ack_timer.timer);
++ del_timer(&llc->rej_sent_timer.timer);
++ del_timer(&llc->busy_state_timer.timer);
++ }
++
++ llc->ack_must_be_send = 0;
++ llc->ack_pf = 0;
++}
++
+ /**
+ * llc_sk_free - Frees a LLC socket
+ * @sk - socket to free
+@@ -963,7 +983,7 @@ void llc_sk_free(struct sock *sk)
+
+ llc->state = LLC_CONN_OUT_OF_SVC;
+ /* Stop all (possibly) running timers */
+- llc_conn_ac_stop_all_timers(sk, NULL);
++ llc_sk_stop_all_timers(sk, true);
+ #ifdef DEBUG_LLC_CONN_ALLOC
+ printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__,
+ skb_queue_len(&llc->pdu_unack_q),
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 19 Apr 2018 21:54:34 -0700
+Subject: llc: fix NULL pointer deref for SOCK_ZAPPED
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ]
+
+For SOCK_ZAPPED socket, we don't need to care about llc->sap,
+so we should just skip these refcount functions in this case.
+
+Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -187,7 +187,6 @@ static int llc_ui_release(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc;
+- struct llc_sap *sap;
+
+ if (unlikely(sk == NULL))
+ goto out;
+@@ -198,15 +197,19 @@ static int llc_ui_release(struct socket
+ llc->laddr.lsap, llc->daddr.lsap);
+ if (!llc_send_disc(sk))
+ llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
+- sap = llc->sap;
+- /* Hold this for release_sock(), so that llc_backlog_rcv() could still
+- * use it.
+- */
+- llc_sap_hold(sap);
+- if (!sock_flag(sk, SOCK_ZAPPED))
++ if (!sock_flag(sk, SOCK_ZAPPED)) {
++ struct llc_sap *sap = llc->sap;
++
++ /* Hold this for release_sock(), so that llc_backlog_rcv()
++ * could still use it.
++ */
++ llc_sap_hold(sap);
+ llc_sap_remove_socket(llc->sap, sk);
+- release_sock(sk);
+- llc_sap_put(sap);
++ release_sock(sk);
++ llc_sap_put(sap);
++ } else {
++ release_sock(sk);
++ }
+ if (llc->dev)
+ dev_put(llc->dev);
+ sock_put(sk);
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 18 Apr 2018 11:51:56 -0700
+Subject: llc: hold llc_sap before release_sock()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ]
+
+syzbot reported we still access llc->sap in llc_backlog_rcv()
+after it is freed in llc_sap_remove_socket():
+
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
+ llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
+ llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
+ llc_conn_service net/llc/llc_conn.c:400 [inline]
+ llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
+ llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
+ sk_backlog_rcv include/net/sock.h:909 [inline]
+ __release_sock+0x12f/0x3a0 net/core/sock.c:2335
+ release_sock+0xa4/0x2b0 net/core/sock.c:2850
+ llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
+
+llc->sap is refcount'ed and llc_sap_remove_socket() is paired
+with llc_sap_add_socket(). This can be amended by holding its refcount
+before llc_sap_remove_socket() and releasing it after release_sock().
+
+Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -187,6 +187,7 @@ static int llc_ui_release(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc;
++ struct llc_sap *sap;
+
+ if (unlikely(sk == NULL))
+ goto out;
+@@ -197,9 +198,15 @@ static int llc_ui_release(struct socket
+ llc->laddr.lsap, llc->daddr.lsap);
+ if (!llc_send_disc(sk))
+ llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
++ sap = llc->sap;
++ /* Hold this for release_sock(), so that llc_backlog_rcv() could still
++ * use it.
++ */
++ llc_sap_hold(sap);
+ if (!sock_flag(sk, SOCK_ZAPPED))
+ llc_sap_remove_socket(llc->sap, sk);
+ release_sock(sk);
++ llc_sap_put(sap);
+ if (llc->dev)
+ dev_put(llc->dev);
+ sock_put(sk);
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 15 Apr 2018 17:52:04 -0700
+Subject: net: af_packet: fix race in PACKET_{R|T}X_RING
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ]
+
+In order to remove the race caught by syzbot [1], we need
+to lock the socket before using po->tp_version as this could
+change under us otherwise.
+
+This means lock_sock() and release_sock() must be done by
+packet_set_ring() callers.
+
+[1] :
+BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
+CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
+ packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662
+ SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
+ SyS_setsockopt+0x76/0xa0 net/socket.c:1828
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x449099
+RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099
+RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003
+RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000
+R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001
+
+Local variable description: ----req_u@packet_setsockopt
+Variable was created at:
+ packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612
+ SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2633,6 +2633,7 @@ static int packet_release(struct socket
+
+ packet_flush_mclist(sk);
+
++ lock_sock(sk);
+ if (po->rx_ring.pg_vec) {
+ memset(&req_u, 0, sizeof(req_u));
+ packet_set_ring(sk, &req_u, 1, 0);
+@@ -2642,6 +2643,7 @@ static int packet_release(struct socket
+ memset(&req_u, 0, sizeof(req_u));
+ packet_set_ring(sk, &req_u, 1, 1);
+ }
++ release_sock(sk);
+
+ fanout_release(sk);
+
+@@ -3276,6 +3278,7 @@ packet_setsockopt(struct socket *sock, i
+ union tpacket_req_u req_u;
+ int len;
+
++ lock_sock(sk);
+ switch (po->tp_version) {
+ case TPACKET_V1:
+ case TPACKET_V2:
+@@ -3286,14 +3289,21 @@ packet_setsockopt(struct socket *sock, i
+ len = sizeof(req_u.req3);
+ break;
+ }
+- if (optlen < len)
+- return -EINVAL;
+- if (pkt_sk(sk)->has_vnet_hdr)
+- return -EINVAL;
+- if (copy_from_user(&req_u.req, optval, len))
+- return -EFAULT;
+- return packet_set_ring(sk, &req_u, 0,
+- optname == PACKET_TX_RING);
++ if (optlen < len) {
++ ret = -EINVAL;
++ } else {
++ if (pkt_sk(sk)->has_vnet_hdr) {
++ ret = -EINVAL;
++ } else {
++ if (copy_from_user(&req_u.req, optval, len))
++ ret = -EFAULT;
++ else
++ ret = packet_set_ring(sk, &req_u, 0,
++ optname == PACKET_TX_RING);
++ }
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_COPY_THRESH:
+ {
+@@ -3825,7 +3835,6 @@ static int packet_set_ring(struct sock *
+ /* Added to avoid minimal code churn */
+ struct tpacket_req *req = &req_u->req;
+
+- lock_sock(sk);
+ /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
+ if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
+ WARN(1, "Tx-ring is not supported.\n");
+@@ -3961,7 +3970,6 @@ static int packet_set_ring(struct sock *
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
+- release_sock(sk);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 23 Apr 2018 17:37:03 -0400
+Subject: packet: fix bitfield update race
+
+From: Willem de Bruijn <willemb@google.com>
+
+
+[ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ]
+
+Updates to the bitfields in struct packet_sock are not atomic.
+Serialize these read-modify-write cycles.
+
+Move po->running into a separate variable. Its writes are protected by
+po->bind_lock (except for one startup case at packet_create). Also
+replace a textual precondition warning with lockdep annotation.
+
+All others are set only in packet_setsockopt. Serialize these
+updates by holding the socket lock. Analogous to other field updates,
+also hold the lock when testing whether a ring is active (pg_vec).
+
+Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg")
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Reported-by: Byoungyoung Lee <byoungyoung@purdue.edu>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 60 +++++++++++++++++++++++++++++++++++--------------
+ net/packet/internal.h | 10 ++++----
+ 2 files changed, 49 insertions(+), 21 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -323,11 +323,11 @@ static void packet_pick_tx_queue(struct
+ skb_set_queue_mapping(skb, queue_index);
+ }
+
+-/* register_prot_hook must be invoked with the po->bind_lock held,
++/* __register_prot_hook must be invoked through register_prot_hook
+ * or from a context in which asynchronous accesses to the packet
+ * socket is not possible (packet_create()).
+ */
+-static void register_prot_hook(struct sock *sk)
++static void __register_prot_hook(struct sock *sk)
+ {
+ struct packet_sock *po = pkt_sk(sk);
+
+@@ -342,8 +342,13 @@ static void register_prot_hook(struct so
+ }
+ }
+
+-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock
+- * held. If the sync parameter is true, we will temporarily drop
++static void register_prot_hook(struct sock *sk)
++{
++ lockdep_assert_held_once(&pkt_sk(sk)->bind_lock);
++ __register_prot_hook(sk);
++}
++
++/* If the sync parameter is true, we will temporarily drop
+ * the po->bind_lock and do a synchronize_net to make sure no
+ * asynchronous packet processing paths still refer to the elements
+ * of po->prot_hook. If the sync parameter is false, it is the
+@@ -353,6 +358,8 @@ static void __unregister_prot_hook(struc
+ {
+ struct packet_sock *po = pkt_sk(sk);
+
++ lockdep_assert_held_once(&po->bind_lock);
++
+ po->running = 0;
+
+ if (po->fanout)
+@@ -2861,7 +2868,7 @@ static int packet_create(struct net *net
+
+ if (proto) {
+ po->prot_hook.type = proto;
+- register_prot_hook(sk);
++ __register_prot_hook(sk);
+ }
+
+ mutex_lock(&net->packet.sklist_lock);
+@@ -3352,12 +3359,18 @@ packet_setsockopt(struct socket *sock, i
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+- po->tp_loss = !!val;
+- return 0;
++
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_loss = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_AUXDATA:
+ {
+@@ -3368,7 +3381,9 @@ packet_setsockopt(struct socket *sock, i
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
++ lock_sock(sk);
+ po->auxdata = !!val;
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_ORIGDEV:
+@@ -3380,7 +3395,9 @@ packet_setsockopt(struct socket *sock, i
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
++ lock_sock(sk);
+ po->origdev = !!val;
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_VNET_HDR:
+@@ -3389,15 +3406,20 @@ packet_setsockopt(struct socket *sock, i
+
+ if (sock->type != SOCK_RAW)
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (optlen < sizeof(val))
+ return -EINVAL;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
+- po->has_vnet_hdr = !!val;
+- return 0;
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->has_vnet_hdr = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_TIMESTAMP:
+ {
+@@ -3428,11 +3450,17 @@ packet_setsockopt(struct socket *sock, i
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+- po->tp_tx_has_off = !!val;
++
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_tx_has_off = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_QDISC_BYPASS:
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -100,10 +100,12 @@ struct packet_sock {
+ int copy_thresh;
+ spinlock_t bind_lock;
+ struct mutex pg_vec_lock;
+- unsigned int running:1, /* prot_hook is attached*/
+- auxdata:1,
++ unsigned int running; /* bind_lock must be held */
++ unsigned int auxdata:1, /* writer must hold sock lock */
+ origdev:1,
+- has_vnet_hdr:1;
++ has_vnet_hdr:1,
++ tp_loss:1,
++ tp_tx_has_off:1;
+ int ifindex; /* bound device */
+ __be16 num;
+ struct packet_mclist *mclist;
+@@ -111,8 +113,6 @@ struct packet_sock {
+ enum tpacket_versions tp_version;
+ unsigned int tp_hdrlen;
+ unsigned int tp_reserve;
+- unsigned int tp_loss:1;
+- unsigned int tp_tx_has_off:1;
+ unsigned int tp_tstamp;
+ struct net_device __rcu *cached_dev;
+ int (*xmit)(struct sk_buff *skb);
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 23 Apr 2018 16:38:27 +0200
+Subject: pppoe: check sockaddr length in pppoe_connect()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit a49e2f5d5fb141884452ddb428f551b123d436b5 ]
+
+We must validate sockaddr_len, otherwise userspace can pass fewer data
+than we expect and we end up accessing invalid data.
+
+Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers")
+Reported-by: syzbot+4f03bdf92fdf9ef5ddab@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pppoe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -613,6 +613,10 @@ static int pppoe_connect(struct socket *
+ lock_sock(sk);
+
+ error = -EINVAL;
++
++ if (sockaddr_len != sizeof(struct sockaddr_pppox))
++ goto end;
++
+ if (sp->sa_protocol != PX_PROTO_OE)
+ goto end;
+
perf-return-proper-values-for-user-stack-errors.patch
mm-filemap.c-fix-null-pointer-in-page_cache_tree_insert.patch
jbd2-fix-use-after-free-in-kjournald2.patch
+bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch
+keys-dns-limit-the-length-of-option-strings.patch
+l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
+tcp-don-t-read-out-of-bounds-opsize.patch
+team-avoid-adding-twice-the-same-option-to-the-event-list.patch
+team-fix-netconsole-setup-over-team.patch
+pppoe-check-sockaddr-length-in-pppoe_connect.patch
+llc-hold-llc_sap-before-release_sock.patch
+llc-fix-null-pointer-deref-for-sock_zapped.patch
+packet-fix-bitfield-update-race.patch
+tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch
+net-af_packet-fix-race-in-packet_-r-t-x_ring.patch
+llc-delete-timers-synchronously-in-llc_sk_free.patch
+ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Fri, 20 Apr 2018 15:57:30 +0200
+Subject: tcp: don't read out-of-bounds opsize
+
+From: Jann Horn <jannh@google.com>
+
+
+[ Upstream commit 7e5a206ab686f098367b61aca989f5cdfa8114a3 ]
+
+The old code reads the "opsize" variable from out-of-bounds memory (first
+byte behind the segment) if a broken TCP segment ends directly after an
+opcode that is neither EOL nor NOP.
+
+The result of the read isn't used for anything, so the worst thing that
+could theoretically happen is a pagefault; and since the physmap is usually
+mostly contiguous, even that seems pretty unlikely.
+
+The following C reproducer triggers the uninitialized read - however, you
+can't actually see anything happen unless you put something like a
+pr_warn() in tcp_parse_md5sig_option() to print the opsize.
+
+====================================
+#define _GNU_SOURCE
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <net/if.h>
+#include <linux/if.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/in.h>
+#include <linux/if_tun.h>
+#include <err.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <assert.h>
+
+void systemf(const char *command, ...) {
+ char *full_command;
+ va_list ap;
+ va_start(ap, command);
+ if (vasprintf(&full_command, command, ap) == -1)
+ err(1, "vasprintf");
+ va_end(ap);
+ printf("systemf: <<<%s>>>\n", full_command);
+ system(full_command);
+}
+
+char *devname;
+
+int tun_alloc(char *name) {
+ int fd = open("/dev/net/tun", O_RDWR);
+ if (fd == -1)
+ err(1, "open tun dev");
+ static struct ifreq req = { .ifr_flags = IFF_TUN|IFF_NO_PI };
+ strcpy(req.ifr_name, name);
+ if (ioctl(fd, TUNSETIFF, &req))
+ err(1, "TUNSETIFF");
+ devname = req.ifr_name;
+ printf("device name: %s\n", devname);
+ return fd;
+}
+
+#define IPADDR(a,b,c,d) (((a)<<0)+((b)<<8)+((c)<<16)+((d)<<24))
+
+void sum_accumulate(unsigned int *sum, void *data, int len) {
+ assert((len&2)==0);
+ for (int i=0; i<len/2; i++) {
+ *sum += ntohs(((unsigned short *)data)[i]);
+ }
+}
+
+unsigned short sum_final(unsigned int sum) {
+ sum = (sum >> 16) + (sum & 0xffff);
+ sum = (sum >> 16) + (sum & 0xffff);
+ return htons(~sum);
+}
+
+void fix_ip_sum(struct iphdr *ip) {
+ unsigned int sum = 0;
+ sum_accumulate(&sum, ip, sizeof(*ip));
+ ip->check = sum_final(sum);
+}
+
+void fix_tcp_sum(struct iphdr *ip, struct tcphdr *tcp) {
+ unsigned int sum = 0;
+ struct {
+ unsigned int saddr;
+ unsigned int daddr;
+ unsigned char pad;
+ unsigned char proto_num;
+ unsigned short tcp_len;
+ } fakehdr = {
+ .saddr = ip->saddr,
+ .daddr = ip->daddr,
+ .proto_num = ip->protocol,
+ .tcp_len = htons(ntohs(ip->tot_len) - ip->ihl*4)
+ };
+ sum_accumulate(&sum, &fakehdr, sizeof(fakehdr));
+ sum_accumulate(&sum, tcp, tcp->doff*4);
+ tcp->check = sum_final(sum);
+}
+
+int main(void) {
+ int tun_fd = tun_alloc("inject_dev%d");
+ systemf("ip link set %s up", devname);
+ systemf("ip addr add 192.168.42.1/24 dev %s", devname);
+
+ struct {
+ struct iphdr ip;
+ struct tcphdr tcp;
+ unsigned char tcp_opts[20];
+ } __attribute__((packed)) syn_packet = {
+ .ip = {
+ .ihl = sizeof(struct iphdr)/4,
+ .version = 4,
+ .tot_len = htons(sizeof(syn_packet)),
+ .ttl = 30,
+ .protocol = IPPROTO_TCP,
+ /* FIXUP check */
+ .saddr = IPADDR(192,168,42,2),
+ .daddr = IPADDR(192,168,42,1)
+ },
+ .tcp = {
+ .source = htons(1),
+ .dest = htons(1337),
+ .seq = 0x12345678,
+ .doff = (sizeof(syn_packet.tcp)+sizeof(syn_packet.tcp_opts))/4,
+ .syn = 1,
+ .window = htons(64),
+ .check = 0 /*FIXUP*/
+ },
+ .tcp_opts = {
+ /* INVALID: trailing MD5SIG opcode after NOPs */
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 19
+ }
+ };
+ fix_ip_sum(&syn_packet.ip);
+ fix_tcp_sum(&syn_packet.ip, &syn_packet.tcp);
+ while (1) {
+ int write_res = write(tun_fd, &syn_packet, sizeof(syn_packet));
+ if (write_res != sizeof(syn_packet))
+ err(1, "packet write failed");
+ }
+}
+====================================
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3731,11 +3731,8 @@ const u8 *tcp_parse_md5sig_option(const
+ int length = (th->doff << 2) - sizeof(*th);
+ const u8 *ptr = (const u8 *)(th + 1);
+
+- /* If the TCP option is too short, we can short cut */
+- if (length < TCPOLEN_MD5SIG)
+- return NULL;
+-
+- while (length > 0) {
++ /* If not enough data remaining, we can short cut */
++ while (length >= TCPOLEN_MD5SIG) {
+ int opcode = *ptr++;
+ int opsize;
+
--- /dev/null
+From foo@baz Fri Apr 27 12:23:41 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Apr 2018 14:36:28 -0700
+Subject: tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7212303268918b9a203aebeacfdbd83b5e87b20d ]
+
+syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1]
+
+I believe this was caused by a TCP_MD5SIG being set on live
+flow.
+
+This is highly unexpected, since TCP option space is limited.
+
+For instance, presence of TCP MD5 option automatically disables
+TCP TimeStamp option at SYN/SYNACK time, which we can not do
+once flow has been established.
+
+Really, adding/deleting an MD5 key only makes sense on sockets
+in CLOSE or LISTEN state.
+
+[1]
+BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
+CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
+ tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline]
+ tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184
+ tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453
+ tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
+ SyS_sendto+0x8a/0xb0 net/socket.c:1715
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x448fe9
+RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9
+RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004
+RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010
+R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000
+R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624
+ __tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline]
+ tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline]
+ tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469
+ tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
+ SyS_sendto+0x8a/0xb0 net/socket.c:1715
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2593,8 +2593,10 @@ static int do_tcp_setsockopt(struct sock
+
+ #ifdef CONFIG_TCP_MD5SIG
+ case TCP_MD5SIG:
+- /* Read the IP->Key mappings from userspace */
+- err = tp->af_specific->md5_parse(sk, optval, optlen);
++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
++ err = tp->af_specific->md5_parse(sk, optval, optlen);
++ else
++ err = -EINVAL;
+ break;
+ #endif
+ case TCP_USER_TIMEOUT:
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 13 Apr 2018 13:59:25 +0200
+Subject: team: avoid adding twice the same option to the event list
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+
+[ Upstream commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 ]
+
+When parsing the options provided by the user space,
+team_nl_cmd_options_set() insert them in a temporary list to send
+multiple events with a single message.
+While each option's attribute is correctly validated, the code does
+not check for duplicate entries before inserting into the event
+list.
+
+Exploiting the above, the syzbot was able to trigger the following
+splat:
+
+kernel BUG at lib/list_debug.c:31!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29
+RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286
+RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000
+RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f
+RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90
+R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90
+R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000
+FS: 0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __list_add include/linux/list.h:60 [inline]
+ list_add include/linux/list.h:79 [inline]
+ team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571
+ genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599
+ genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624
+ netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:639
+ ___sys_sendmsg+0x805/0x940 net/socket.c:2117
+ __sys_sendmsg+0x115/0x270 net/socket.c:2155
+ SYSC_sendmsg net/socket.c:2164 [inline]
+ SyS_sendmsg+0x29/0x30 net/socket.c:2162
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4458b9
+RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9
+RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004
+RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348
+R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000
+Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48
+89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f
+40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41
+RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248
+
+This changeset addresses the avoiding list_add() if the current
+option is already present in the event list.
+
+Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -253,6 +253,17 @@ static void __team_option_inst_mark_remo
+ }
+ }
+
++static bool __team_option_inst_tmp_find(const struct list_head *opts,
++ const struct team_option_inst *needle)
++{
++ struct team_option_inst *opt_inst;
++
++ list_for_each_entry(opt_inst, opts, tmp_list)
++ if (opt_inst == needle)
++ return true;
++ return false;
++}
++
+ static int __team_options_register(struct team *team,
+ const struct team_option *option,
+ size_t option_count)
+@@ -2532,6 +2543,14 @@ static int team_nl_cmd_options_set(struc
+ if (err)
+ goto team_put;
+ opt_inst->changed = true;
++
++ /* dumb/evil user-space can send us duplicate opt,
++ * keep only the last one
++ */
++ if (__team_option_inst_tmp_find(&opt_inst_list,
++ opt_inst))
++ continue;
++
+ list_add(&opt_inst->tmp_list, &opt_inst_list);
+ }
+ if (!opt_found) {
--- /dev/null
+From foo@baz Fri Apr 27 13:28:45 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 24 Apr 2018 14:33:37 +0800
+Subject: team: fix netconsole setup over team
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 9cf2f437ca5b39828984064fad213e68fc17ef11 ]
+
+The same fix in Commit dbe173079ab5 ("bridge: fix netconsole
+setup over bridge") is also needed for team driver.
+
+While at it, remove the unnecessary parameter *team from
+team_port_enable_netpoll().
+
+v1->v2:
+ - fix it in a better way, as does bridge.
+
+Fixes: 0fb52a27a04a ("team: cleanup netpoll clode")
+Reported-by: João Avelino Bellomo Filho <jbellomo@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1051,14 +1051,11 @@ static void team_port_leave(struct team
+ }
+
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
++static int __team_port_enable_netpoll(struct team_port *port)
+ {
+ struct netpoll *np;
+ int err;
+
+- if (!team->dev->npinfo)
+- return 0;
+-
+ np = kzalloc(sizeof(*np), GFP_KERNEL);
+ if (!np)
+ return -ENOMEM;
+@@ -1072,6 +1069,14 @@ static int team_port_enable_netpoll(stru
+ return err;
+ }
+
++static int team_port_enable_netpoll(struct team_port *port)
++{
++ if (!port->team->dev->npinfo)
++ return 0;
++
++ return __team_port_enable_netpoll(port);
++}
++
+ static void team_port_disable_netpoll(struct team_port *port)
+ {
+ struct netpoll *np = port->np;
+@@ -1086,7 +1091,7 @@ static void team_port_disable_netpoll(st
+ kfree(np);
+ }
+ #else
+-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
++static int team_port_enable_netpoll(struct team_port *port)
+ {
+ return 0;
+ }
+@@ -1193,7 +1198,7 @@ static int team_port_add(struct team *te
+ goto err_vids_add;
+ }
+
+- err = team_port_enable_netpoll(team, port);
++ err = team_port_enable_netpoll(port);
+ if (err) {
+ netdev_err(dev, "Failed to enable netpoll on device %s\n",
+ portname);
+@@ -1898,7 +1903,7 @@ static int team_netpoll_setup(struct net
+
+ mutex_lock(&team->lock);
+ list_for_each_entry(port, &team->port_list, list) {
+- err = team_port_enable_netpoll(team, port);
++ err = __team_port_enable_netpoll(port);
+ if (err) {
+ __team_netpoll_cleanup(team);
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
