--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: "Toke Høiland-Jørgensen" <toke@toke.dk>
+Date: Thu, 13 Sep 2018 16:43:07 +0200
+Subject: gso_segment: Reset skb->mac_len after modifying network header
+
+From: "Toke Høiland-Jørgensen" <toke@toke.dk>
+
+[ Upstream commit c56cae23c6b167acc68043c683c4573b80cbcc2c ]
+
+When splitting a GSO segment that consists of encapsulated packets, the
+skb->mac_len of the segments can end up being set wrong, causing packet
+drops in particular when using act_mirred and ifb interfaces in
+combination with a qdisc that splits GSO packets.
+
+This happens because at the time skb_segment() is called, network_header
+will point to the inner header, throwing off the calculation in
+skb_reset_mac_len(). The network_header is subsequently adjust by the
+outer IP gso_segment handlers, but they don't set the mac_len.
+
+Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6
+gso_segment handlers, after they modify the network_header.
+
+Many thanks to Eric Dumazet for his help in identifying the cause of
+the bug.
+
+Acked-by: Dave Taht <dave.taht@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/af_inet.c | 1 +
+ net/ipv6/ip6_offload.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -1307,6 +1307,7 @@ struct sk_buff *inet_gso_segment(struct
+ if (encap)
+ skb_reset_inner_headers(skb);
+ skb->network_header = (u8 *)iph - skb->head;
++ skb_reset_mac_len(skb);
+ } while ((skb = skb->next));
+
+ out:
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -113,6 +113,7 @@ static struct sk_buff *ipv6_gso_segment(
+ payload_len = skb->len - nhoff - sizeof(*ipv6h);
+ ipv6h->payload_len = htons(payload_len);
+ skb->network_header = (u8 *)ipv6h - skb->head;
++ skb_reset_mac_len(skb);
+
+ if (udpfrag) {
+ int err = ip6_find_1stfragopt(skb, &prevhdr);
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 14 Sep 2018 12:02:31 -0700
+Subject: ipv6: fix possible use-after-free in ip6_xmit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit bbd6528d28c1b8e80832b3b018ec402b6f5c3215 ]
+
+In the unlikely case ip6_xmit() has to call skb_realloc_headroom(),
+we need to call skb_set_owner_w() before consuming original skb,
+otherwise we risk a use-after-free.
+
+Bring IPv6 in line with what we do in IPv4 to fix this.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -219,12 +219,10 @@ int ip6_xmit(const struct sock *sk, stru
+ kfree_skb(skb);
+ return -ENOBUFS;
+ }
++ if (skb->sk)
++ skb_set_owner_w(skb2, skb->sk);
+ consume_skb(skb);
+ skb = skb2;
+- /* skb_set_owner_w() changes sk->sk_wmem_alloc atomically,
+- * it is safe to call in our context (socket lock not held)
+- */
+- skb_set_owner_w(skb, (struct sock *)sk);
+ }
+ if (opt->opt_flen)
+ ipv6_push_frag_opts(skb, opt, &proto);
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Vasily Khoruzhick <vasilykh@arista.com>
+Date: Thu, 13 Sep 2018 11:12:03 -0700
+Subject: neighbour: confirm neigh entries when ARP packet is received
+
+From: Vasily Khoruzhick <vasilykh@arista.com>
+
+[ Upstream commit f0e0d04413fcce9bc76388839099aee93cd0d33b ]
+
+Update 'confirmed' timestamp when ARP packet is received. It shouldn't
+affect locktime logic and anyway entry can be confirmed by any higher-layer
+protocol. Thus it makes sense to confirm it when ARP packet is received.
+
+Fixes: 77d7123342dc ("neighbour: update neigh timestamps iff update is effective")
+Signed-off-by: Vasily Khoruzhick <vasilykh@arista.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -1174,6 +1174,12 @@ int neigh_update(struct neighbour *neigh
+ lladdr = neigh->ha;
+ }
+
++ /* Update confirmed timestamp for neighbour entry after we
++ * received ARP packet even if it doesn't change IP to MAC binding.
++ */
++ if (new & NUD_CONNECTED)
++ neigh->confirmed = jiffies;
++
+ /* If entry was valid and address is not changed,
+ do not change entry state, if new one is STALE.
+ */
+@@ -1195,15 +1201,12 @@ int neigh_update(struct neighbour *neigh
+ }
+ }
+
+- /* Update timestamps only once we know we will make a change to the
++ /* Update timestamp only once we know we will make a change to the
+ * neighbour entry. Otherwise we risk to move the locktime window with
+ * noop updates and ignore relevant ARP updates.
+ */
+- if (new != old || lladdr != neigh->ha) {
+- if (new & NUD_CONNECTED)
+- neigh->confirmed = jiffies;
++ if (new != old || lladdr != neigh->ha)
+ neigh->updated = jiffies;
+- }
+
+ if (new != old) {
+ neigh_del_timer(neigh);
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 12 Sep 2018 07:36:35 +0200
+Subject: net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 9824dfae5741275473a23a7ed5756c7b6efacc9d ]
+
+Fields ->dev and ->next of struct ipddp_route may be copied to
+userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible
+to CAP_NET_ADMIN though. Let's manually copy the relevant fields
+instead of using memcpy().
+
+BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
+Cc: Jann Horn <jannh@google.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/appletalk/ipddp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/appletalk/ipddp.c
++++ b/drivers/net/appletalk/ipddp.c
+@@ -283,8 +283,12 @@ static int ipddp_ioctl(struct net_device
+ case SIOCFINDIPDDPRT:
+ spin_lock_bh(&ipddp_route_lock);
+ rp = __ipddp_find_route(&rcp);
+- if (rp)
+- memcpy(&rcp2, rp, sizeof(rcp2));
++ if (rp) {
++ memset(&rcp2, 0, sizeof(rcp2));
++ rcp2.ip = rp->ip;
++ rcp2.at = rp->at;
++ rcp2.flags = rp->flags;
++ }
+ spin_unlock_bh(&ipddp_route_lock);
+
+ if (rp) {
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 14 Sep 2018 17:39:53 +0100
+Subject: net: hp100: fix always-true check for link up state
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit a7f38002fb69b44f8fc622ecb838665d0b8666af ]
+
+The operation ~(p100_inb(VG_LAN_CFG_1) & HP100_LINK_UP) returns a value
+that is always non-zero and hence the wait for the link to drop always
+terminates prematurely. Fix this by using a logical not operator instead
+of a bitwise complement. This issue has been in the driver since
+pre-2.6.12-rc2.
+
+Detected by CoverityScan, CID#114157 ("Logical vs. bitwise operator")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hp/hp100.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hp/hp100.c
++++ b/drivers/net/ethernet/hp/hp100.c
+@@ -2634,7 +2634,7 @@ static int hp100_login_to_vg_hub(struct
+ /* Wait for link to drop */
+ time = jiffies + (HZ / 10);
+ do {
+- if (~(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST))
++ if (!(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST))
+ break;
+ if (!in_interrupt())
+ schedule_timeout_interruptible(1);
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 14 Sep 2018 12:03:18 +0200
+Subject: net/sched: act_sample: fix NULL dereference in the data path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 34043d250f51368f214aed7f54c2dc29c819a8c7 ]
+
+Matteo reported the following splat, testing the datapath of TC 'sample':
+
+ BUG: KASAN: null-ptr-deref in tcf_sample_act+0xc4/0x310
+ Read of size 8 at addr 0000000000000000 by task nc/433
+
+ CPU: 0 PID: 433 Comm: nc Not tainted 4.19.0-rc3-kvm #17
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS ?-20180531_142017-buildhw-08.phx2.fedoraproject.org-1.fc28 04/01/2014
+ Call Trace:
+ kasan_report.cold.6+0x6c/0x2fa
+ tcf_sample_act+0xc4/0x310
+ ? dev_hard_start_xmit+0x117/0x180
+ tcf_action_exec+0xa3/0x160
+ tcf_classify+0xdd/0x1d0
+ htb_enqueue+0x18e/0x6b0
+ ? deref_stack_reg+0x7a/0xb0
+ ? htb_delete+0x4b0/0x4b0
+ ? unwind_next_frame+0x819/0x8f0
+ ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ __dev_queue_xmit+0x722/0xca0
+ ? unwind_get_return_address_ptr+0x50/0x50
+ ? netdev_pick_tx+0xe0/0xe0
+ ? save_stack+0x8c/0xb0
+ ? kasan_kmalloc+0xbe/0xd0
+ ? __kmalloc_track_caller+0xe4/0x1c0
+ ? __kmalloc_reserve.isra.45+0x24/0x70
+ ? __alloc_skb+0xdd/0x2e0
+ ? sk_stream_alloc_skb+0x91/0x3b0
+ ? tcp_sendmsg_locked+0x71b/0x15a0
+ ? tcp_sendmsg+0x22/0x40
+ ? __sys_sendto+0x1b0/0x250
+ ? __x64_sys_sendto+0x6f/0x80
+ ? do_syscall_64+0x5d/0x150
+ ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ ? __sys_sendto+0x1b0/0x250
+ ? __x64_sys_sendto+0x6f/0x80
+ ? do_syscall_64+0x5d/0x150
+ ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ ip_finish_output2+0x495/0x590
+ ? ip_copy_metadata+0x2e0/0x2e0
+ ? skb_gso_validate_network_len+0x6f/0x110
+ ? ip_finish_output+0x174/0x280
+ __tcp_transmit_skb+0xb17/0x12b0
+ ? __tcp_select_window+0x380/0x380
+ tcp_write_xmit+0x913/0x1de0
+ ? __sk_mem_schedule+0x50/0x80
+ tcp_sendmsg_locked+0x49d/0x15a0
+ ? tcp_rcv_established+0x8da/0xa30
+ ? tcp_set_state+0x220/0x220
+ ? clear_user+0x1f/0x50
+ ? iov_iter_zero+0x1ae/0x590
+ ? __fget_light+0xa0/0xe0
+ tcp_sendmsg+0x22/0x40
+ __sys_sendto+0x1b0/0x250
+ ? __ia32_sys_getpeername+0x40/0x40
+ ? _copy_to_user+0x58/0x70
+ ? poll_select_copy_remaining+0x176/0x200
+ ? __pollwait+0x1c0/0x1c0
+ ? ktime_get_ts64+0x11f/0x140
+ ? kern_select+0x108/0x150
+ ? core_sys_select+0x360/0x360
+ ? vfs_read+0x127/0x150
+ ? kernel_write+0x90/0x90
+ __x64_sys_sendto+0x6f/0x80
+ do_syscall_64+0x5d/0x150
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7fefef2b129d
+ Code: ff ff ff ff eb b6 0f 1f 80 00 00 00 00 48 8d 05 51 37 0c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41
+ RSP: 002b:00007fff2f5350c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+ RAX: ffffffffffffffda RBX: 000056118d60c120 RCX: 00007fefef2b129d
+ RDX: 0000000000002000 RSI: 000056118d629320 RDI: 0000000000000003
+ RBP: 000056118d530370 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000002000
+ R13: 000056118d5c2a10 R14: 000056118d5c2a10 R15: 000056118d5303b8
+
+tcf_sample_act() tried to update its per-cpu stats, but tcf_sample_init()
+forgot to allocate them, because tcf_idr_create() was called with a wrong
+value of 'cpustats'. Setting it to true proved to fix the reported crash.
+
+Reported-by: Matteo Croce <mcroce@redhat.com>
+Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
+Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
+Tested-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_sample.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_sample.c
++++ b/net/sched/act_sample.c
+@@ -64,7 +64,7 @@ static int tcf_sample_init(struct net *n
+
+ if (!exists) {
+ ret = tcf_idr_create(tn, parm->index, est, a,
+- &act_sample_ops, bind, false);
++ &act_sample_ops, bind, true);
+ if (ret)
+ return ret;
+ ret = ACT_P_CREATED;
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri, 14 Sep 2018 16:28:05 +0200
+Subject: pppoe: fix reception of frames with no mac header
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit 8540827ebac6b654ab2f69c8fbce9e4fbd6304a0 ]
+
+pppoe_rcv() needs to look back at the Ethernet header in order to
+lookup the PPPoE session. Therefore we need to ensure that the mac
+header is big enough to contain an Ethernet header. Otherwise
+eth_hdr(skb)->h_source might access invalid data.
+
+==================================================================
+BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline]
+BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline]
+BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
+CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
+01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
+ __get_item drivers/net/ppp/pppoe.c:172 [inline]
+ get_item drivers/net/ppp/pppoe.c:236 [inline]
+ pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
+ __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
+ netif_receive_skb+0x230/0x240 net/core/dev.c:4725
+ tun_rx_batched drivers/net/tun.c:1555 [inline]
+ tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962
+ tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
+ call_write_iter include/linux/fs.h:1782 [inline]
+ new_sync_write fs/read_write.c:469 [inline]
+ __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
+ vfs_write+0x463/0x8d0 fs/read_write.c:544
+ SYSC_write+0x172/0x360 fs/read_write.c:589
+ SyS_write+0x55/0x80 fs/read_write.c:581
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x4447c9
+RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9
+RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004
+RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda
+R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0
+R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
+ sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
+ tun_alloc_skb drivers/net/tun.c:1532 [inline]
+ tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829
+ tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
+ call_write_iter include/linux/fs.h:1782 [inline]
+ new_sync_write fs/read_write.c:469 [inline]
+ __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
+ vfs_write+0x463/0x8d0 fs/read_write.c:544
+ SYSC_write+0x172/0x360 fs/read_write.c:589
+ SyS_write+0x55/0x80 fs/read_write.c:581
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+==================================================================
+
+Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers")
+Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pppoe.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -429,6 +429,9 @@ static int pppoe_rcv(struct sk_buff *skb
+ if (!skb)
+ goto out;
+
++ if (skb_mac_header_len(skb) < ETH_HLEN)
++ goto drop;
++
+ if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
+ goto drop;
+
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Mon, 17 Sep 2018 22:00:24 +0200
+Subject: qmi_wwan: set DTR for modems in forced USB2 mode
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+[ Upstream commit 922005c7f50e7f4b2a6dbc182e9c575b4f92396b ]
+
+Recent firmware revisions have added the ability to force
+these modems to USB2 mode, hiding their SuperSpeed
+capabilities from the host. The driver has been using the
+SuperSpeed capability, as shown by the bcdUSB field of the
+device descriptor, to detect the need to enable the DTR
+quirk. This method fails when the modems are forced to
+USB2 mode by the modem firmware.
+
+Fix by unconditionally enabling the DTR quirk for the
+affected device IDs.
+
+Reported-by: Fred Veldini <fred.veldini@gmail.com>
+Reported-by: Deshu Wen <dwen@sierrawireless.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Reported-by: Fred Veldini <fred.veldini@gmail.com>
+Reported-by: Deshu Wen <dwen@sierrawireless.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1205,13 +1205,13 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */
+ {QMI_FIXED_INTF(0x1199, 0x9063, 8)}, /* Sierra Wireless EM7305 */
+ {QMI_FIXED_INTF(0x1199, 0x9063, 10)}, /* Sierra Wireless EM7305 */
+- {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx */
+- {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx */
+- {QMI_FIXED_INTF(0x1199, 0x9079, 8)}, /* Sierra Wireless EM74xx */
+- {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */
+- {QMI_FIXED_INTF(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */
+- {QMI_FIXED_INTF(0x1199, 0x907b, 10)}, /* Sierra Wireless EM74xx */
+- {QMI_FIXED_INTF(0x1199, 0x9091, 8)}, /* Sierra Wireless EM7565 */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x9071, 10)},/* Sierra Wireless MC74xx */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x9079, 8)}, /* Sierra Wireless EM74xx */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x9079, 10)},/* Sierra Wireless EM74xx */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x907b, 10)},/* Sierra Wireless EM74xx */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x9091, 8)}, /* Sierra Wireless EM7565 */
+ {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
+ {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
--- /dev/null
+gso_segment-reset-skb-mac_len-after-modifying-network-header.patch
+ipv6-fix-possible-use-after-free-in-ip6_xmit.patch
+net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch
+net-hp100-fix-always-true-check-for-link-up-state.patch
+pppoe-fix-reception-of-frames-with-no-mac-header.patch
+qmi_wwan-set-dtr-for-modems-in-forced-usb2-mode.patch
+udp4-fix-ip_cmsg_checksum-for-connected-sockets.patch
+neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch
+udp6-add-missing-checks-on-edumux-packet-processing.patch
+net-sched-act_sample-fix-null-dereference-in-the-data-path.patch
+tls-don-t-copy-the-key-out-of-tls12_crypto_info_aes_gcm_128.patch
+tls-zero-the-crypto-information-from-tls_context-before-freeing.patch
+tls-clear-key-material-from-kernel-memory-when-do_tls_setsockopt_conf-fails.patch
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 12 Sep 2018 17:44:43 +0200
+Subject: tls: clear key material from kernel memory when do_tls_setsockopt_conf fails
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit c844eb46b7d43c2cf760169df5ae1d5b033af338 ]
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -425,7 +425,7 @@ static int do_tls_setsockopt_tx(struct s
+ goto out;
+
+ err_crypto_info:
+- memset(crypto_info, 0, sizeof(*crypto_info));
++ memzero_explicit(crypto_info, sizeof(union tls_crypto_context));
+ out:
+ return rc;
+ }
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 12 Sep 2018 17:44:41 +0200
+Subject: tls: don't copy the key out of tls12_crypto_info_aes_gcm_128
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 7cba09c6d5bc73ebbd25a353742d9ddb7a713b95 ]
+
+There's no need to copy the key to an on-stack buffer before calling
+crypto_aead_setkey().
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -661,7 +661,6 @@ static void tls_sw_free_resources(struct
+
+ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
+ {
+- char keyval[TLS_CIPHER_AES_GCM_128_KEY_SIZE];
+ struct tls_crypto_info *crypto_info;
+ struct tls12_crypto_info_aes_gcm_128 *gcm_128_info;
+ struct tls_sw_context *sw_ctx;
+@@ -753,9 +752,7 @@ int tls_set_sw_offload(struct sock *sk,
+
+ ctx->push_pending_record = tls_sw_push_pending_record;
+
+- memcpy(keyval, gcm_128_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);
+-
+- rc = crypto_aead_setkey(sw_ctx->aead_send, keyval,
++ rc = crypto_aead_setkey(sw_ctx->aead_send, gcm_128_info->key,
+ TLS_CIPHER_AES_GCM_128_KEY_SIZE);
+ if (rc)
+ goto free_aead;
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 12 Sep 2018 17:44:42 +0200
+Subject: tls: zero the crypto information from tls_context before freeing
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 86029d10af18381814881d6cce2dd6872163b59f ]
+
+This contains key material in crypto_send_aes_gcm_128 and
+crypto_recv_aes_gcm_128.
+
+Introduce union tls_crypto_context, and replace the two identical
+unions directly embedded in struct tls_context with it. We can then
+use this union to clean up the memory in the new tls_ctx_free()
+function.
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tls.h | 14 ++++++++------
+ net/tls/tls_main.c | 15 ++++++++++++---
+ net/tls/tls_sw.c | 2 +-
+ 3 files changed, 21 insertions(+), 10 deletions(-)
+
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -79,11 +79,13 @@ enum {
+ TLS_PENDING_CLOSED_RECORD
+ };
+
++union tls_crypto_context {
++ struct tls_crypto_info info;
++ struct tls12_crypto_info_aes_gcm_128 aes_gcm_128;
++};
++
+ struct tls_context {
+- union {
+- struct tls_crypto_info crypto_send;
+- struct tls12_crypto_info_aes_gcm_128 crypto_send_aes_gcm_128;
+- };
++ union tls_crypto_context crypto_send;
+
+ void *priv_ctx;
+
+@@ -208,8 +210,8 @@ static inline void tls_fill_prepend(stru
+ * size KTLS_DTLS_HEADER_SIZE + KTLS_DTLS_NONCE_EXPLICIT_SIZE
+ */
+ buf[0] = record_type;
+- buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.version);
+- buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.version);
++ buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.info.version);
++ buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.info.version);
+ /* we can use IV for nonce explicit according to spec */
+ buf[3] = pkt_len >> 8;
+ buf[4] = pkt_len & 0xFF;
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -218,6 +218,15 @@ static void tls_write_space(struct sock
+ ctx->sk_write_space(sk);
+ }
+
++static void tls_ctx_free(struct tls_context *ctx)
++{
++ if (!ctx)
++ return;
++
++ memzero_explicit(&ctx->crypto_send, sizeof(ctx->crypto_send));
++ kfree(ctx);
++}
++
+ static void tls_sk_proto_close(struct sock *sk, long timeout)
+ {
+ struct tls_context *ctx = tls_get_ctx(sk);
+@@ -246,7 +255,7 @@ static void tls_sk_proto_close(struct so
+ kfree(ctx->iv);
+
+ sk_proto_close = ctx->sk_proto_close;
+- kfree(ctx);
++ tls_ctx_free(ctx);
+
+ release_sock(sk);
+ sk_proto_close(sk, timeout);
+@@ -274,7 +283,7 @@ static int do_tls_getsockopt_tx(struct s
+ }
+
+ /* get user crypto info */
+- crypto_info = &ctx->crypto_send;
++ crypto_info = &ctx->crypto_send.info;
+
+ if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
+ rc = -EBUSY;
+@@ -371,7 +380,7 @@ static int do_tls_setsockopt_tx(struct s
+ }
+
+ /* get user crypto info */
+- crypto_info = &ctx->crypto_send;
++ crypto_info = &ctx->crypto_send.info;
+
+ /* Currently we don't support set crypto info more than one time */
+ if (TLS_CRYPTO_INFO_READY(crypto_info)) {
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -687,7 +687,7 @@ int tls_set_sw_offload(struct sock *sk,
+ ctx->priv_ctx = (struct tls_offload_context *)sw_ctx;
+ ctx->free_resources = tls_sw_free_resources;
+
+- crypto_info = &ctx->crypto_send;
++ crypto_info = &ctx->crypto_send.info;
+ switch (crypto_info->cipher_type) {
+ case TLS_CIPHER_AES_GCM_128: {
+ nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 13 Sep 2018 16:27:20 +0200
+Subject: udp4: fix IP_CMSG_CHECKSUM for connected sockets
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 2b5a921740a55c00223a797d075b9c77c42cb171 ]
+
+commit 2abb7cdc0dc8 ("udp: Add support for doing checksum
+unnecessary conversion") left out the early demux path for
+connected sockets. As a result IP_CMSG_CHECKSUM gives wrong
+values for such socket when GRO is not enabled/available.
+
+This change addresses the issue by moving the csum conversion to a
+common helper and using such helper in both the default and the
+early demux rx path.
+
+Fixes: 2abb7cdc0dc8 ("udp: Add support for doing checksum unnecessary conversion")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 49 ++++++++++++++++++++++++++-----------------------
+ 1 file changed, 26 insertions(+), 23 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2049,6 +2049,28 @@ static inline int udp4_csum_init(struct
+ inet_compute_pseudo);
+ }
+
++/* wrapper for udp_queue_rcv_skb tacking care of csum conversion and
++ * return code conversion for ip layer consumption
++ */
++static int udp_unicast_rcv_skb(struct sock *sk, struct sk_buff *skb,
++ struct udphdr *uh)
++{
++ int ret;
++
++ if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk))
++ skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
++ inet_compute_pseudo);
++
++ ret = udp_queue_rcv_skb(sk, skb);
++
++ /* a return value > 0 means to resubmit the input, but
++ * it wants the return to be -protocol, or 0
++ */
++ if (ret > 0)
++ return -ret;
++ return 0;
++}
++
+ /*
+ * All we need to do is get the socket, and then do a checksum.
+ */
+@@ -2095,14 +2117,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
+ if (unlikely(sk->sk_rx_dst != dst))
+ udp_sk_rx_dst_set(sk, dst);
+
+- ret = udp_queue_rcv_skb(sk, skb);
++ ret = udp_unicast_rcv_skb(sk, skb, uh);
+ sock_put(sk);
+- /* a return value > 0 means to resubmit the input, but
+- * it wants the return to be -protocol, or 0
+- */
+- if (ret > 0)
+- return -ret;
+- return 0;
++ return ret;
+ }
+
+ if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST))
+@@ -2110,22 +2127,8 @@ int __udp4_lib_rcv(struct sk_buff *skb,
+ saddr, daddr, udptable, proto);
+
+ sk = __udp4_lib_lookup_skb(skb, uh->source, uh->dest, udptable);
+- if (sk) {
+- int ret;
+-
+- if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk))
+- skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
+- inet_compute_pseudo);
+-
+- ret = udp_queue_rcv_skb(sk, skb);
+-
+- /* a return value > 0 means to resubmit the input, but
+- * it wants the return to be -protocol, or 0
+- */
+- if (ret > 0)
+- return -ret;
+- return 0;
+- }
++ if (sk)
++ return udp_unicast_rcv_skb(sk, skb, uh);
+
+ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+ goto drop;
--- /dev/null
+From foo@baz Wed Sep 26 11:28:02 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 13 Sep 2018 16:27:21 +0200
+Subject: udp6: add missing checks on edumux packet processing
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit eb63f2964dbe36f26deac77d3016791675821ded ]
+
+Currently the UDPv6 early demux rx code path lacks some mandatory
+checks, already implemented into the normal RX code path - namely
+the checksum conversion and no_check6_rx check.
+
+Similar to the previous commit, we move the common processing to
+an UDPv6 specific helper and call it from both edemux code path
+and normal code path. In respect to the UDPv4, we need to add an
+explicit check for non zero csum according to no_check6_rx value.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Suggested-by: Xin Long <lucien.xin@gmail.com>
+Fixes: c9f2c1ae123a ("udp6: fix socket leak on early demux")
+Fixes: 2abb7cdc0dc8 ("udp: Add support for doing checksum unnecessary conversion")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/udp.c | 65 ++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 37 insertions(+), 28 deletions(-)
+
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -780,6 +780,28 @@ static void udp6_sk_rx_dst_set(struct so
+ }
+ }
+
++/* wrapper for udp_queue_rcv_skb tacking care of csum conversion and
++ * return code conversion for ip layer consumption
++ */
++static int udp6_unicast_rcv_skb(struct sock *sk, struct sk_buff *skb,
++ struct udphdr *uh)
++{
++ int ret;
++
++ if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk))
++ skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
++ ip6_compute_pseudo);
++
++ ret = udpv6_queue_rcv_skb(sk, skb);
++
++ /* a return value > 0 means to resubmit the input, but
++ * it wants the return to be -protocol, or 0
++ */
++ if (ret > 0)
++ return -ret;
++ return 0;
++}
++
+ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
+ int proto)
+ {
+@@ -831,13 +853,14 @@ int __udp6_lib_rcv(struct sk_buff *skb,
+ if (unlikely(sk->sk_rx_dst != dst))
+ udp6_sk_rx_dst_set(sk, dst);
+
+- ret = udpv6_queue_rcv_skb(sk, skb);
+- sock_put(sk);
++ if (!uh->check && !udp_sk(sk)->no_check6_rx) {
++ sock_put(sk);
++ goto report_csum_error;
++ }
+
+- /* a return value > 0 means to resubmit the input */
+- if (ret > 0)
+- return ret;
+- return 0;
++ ret = udp6_unicast_rcv_skb(sk, skb, uh);
++ sock_put(sk);
++ return ret;
+ }
+
+ /*
+@@ -850,30 +873,13 @@ int __udp6_lib_rcv(struct sk_buff *skb,
+ /* Unicast */
+ sk = __udp6_lib_lookup_skb(skb, uh->source, uh->dest, udptable);
+ if (sk) {
+- int ret;
+-
+- if (!uh->check && !udp_sk(sk)->no_check6_rx) {
+- udp6_csum_zero_error(skb);
+- goto csum_error;
+- }
+-
+- if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk))
+- skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
+- ip6_compute_pseudo);
+-
+- ret = udpv6_queue_rcv_skb(sk, skb);
+-
+- /* a return value > 0 means to resubmit the input */
+- if (ret > 0)
+- return ret;
+-
+- return 0;
++ if (!uh->check && !udp_sk(sk)->no_check6_rx)
++ goto report_csum_error;
++ return udp6_unicast_rcv_skb(sk, skb, uh);
+ }
+
+- if (!uh->check) {
+- udp6_csum_zero_error(skb);
+- goto csum_error;
+- }
++ if (!uh->check)
++ goto report_csum_error;
+
+ if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
+ goto discard;
+@@ -894,6 +900,9 @@ short_packet:
+ ulen, skb->len,
+ daddr, ntohs(uh->dest));
+ goto discard;
++
++report_csum_error:
++ udp6_csum_zero_error(skb);
+ csum_error:
+ __UDP6_INC_STATS(net, UDP_MIB_CSUMERRORS, proto == IPPROTO_UDPLITE);
+ discard:
--- /dev/null
+gso_segment-reset-skb-mac_len-after-modifying-network-header.patch
+ipv6-fix-possible-use-after-free-in-ip6_xmit.patch
+net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch
+net-hp100-fix-always-true-check-for-link-up-state.patch
+pppoe-fix-reception-of-frames-with-no-mac-header.patch
+qmi_wwan-set-dtr-for-modems-in-forced-usb2-mode.patch
+udp4-fix-ip_cmsg_checksum-for-connected-sockets.patch
+tls-don-t-copy-the-key-out-of-tls12_crypto_info_aes_gcm_128.patch
+tls-zero-the-crypto-information-from-tls_context-before-freeing.patch
+tls-clear-key-material-from-kernel-memory-when-do_tls_setsockopt_conf-fails.patch
+neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch
+udp6-add-missing-checks-on-edumux-packet-processing.patch
+net-sched-act_sample-fix-null-dereference-in-the-data-path.patch
+hv_netvsc-fix-schedule-in-rcu-context.patch
+net-dsa-mv88e6xxx-fix-atu-miss-violation.patch
+socket-fix-struct-ifreq-size-in-compat-ioctl.patch
+tls-fix-currently-broken-msg_peek-behavior.patch
+bnxt_en-fix-vf-mac-address-regression.patch
+ipv6-use-rt6_info-members-when-dst-is-set-in-rt6_fill_node.patch
+net-ipv6-do-not-copy-dst-flags-on-rt-init.patch
+net-mvpp2-let-phylink-manage-the-carrier-state.patch
+net-rtnl_configure_link-fix-dev-flags-changes-arg-to-__dev_notify_flags.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
