--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:47:42 AM CET
+From: Menglong Dong <dong.menglong@zte.com.cn>
+Date: Mon, 25 Nov 2019 16:58:09 +0800
+Subject: macvlan: schedule bc_work even if error
+
+From: Menglong Dong <dong.menglong@zte.com.cn>
+
+[ Upstream commit 1d7ea55668878bb350979c377fc72509dd6f5b21 ]
+
+While enqueueing a broadcast skb to port->bc_queue, schedule_work()
+is called to add port->bc_work, which processes the skbs in
+bc_queue, to "events" work queue. If port->bc_queue is full, the
+skb will be discarded and schedule_work(&port->bc_work) won't be
+called. However, if port->bc_queue is full and port->bc_work is not
+running or pending, port->bc_queue will keep full and schedule_work()
+won't be called any more, and all broadcast skbs to macvlan will be
+discarded. This case can happen:
+
+macvlan_process_broadcast() is the pending function of port->bc_work,
+it moves all the skbs in port->bc_queue to the queue "list", and
+processes the skbs in "list". During this, new skbs will keep being
+added to port->bc_queue in macvlan_broadcast_enqueue(), and
+port->bc_queue may already full when macvlan_process_broadcast()
+return. This may happen, especially when there are a lot of real-time
+threads and the process is preempted.
+
+Fix this by calling schedule_work(&port->bc_work) even if
+port->bc_work is full in macvlan_broadcast_enqueue().
+
+Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
+Signed-off-by: Menglong Dong <dong.menglong@zte.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -363,10 +363,11 @@ static void macvlan_broadcast_enqueue(st
+ }
+ spin_unlock(&port->bc_queue.lock);
+
++ schedule_work(&port->bc_work);
++
+ if (err)
+ goto free_nskb;
+
+- schedule_work(&port->bc_work);
+ return;
+
+ free_nskb:
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:47:42 AM CET
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Wed, 27 Nov 2019 00:16:44 +0200
+Subject: net: psample: fix skb_over_panic
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 7eb9d7675c08937cd11d32b0b40442d4d731c5ee ]
+
+We need to calculate the skb size correctly otherwise we risk triggering
+skb_over_panic[1]. The issue is that data_len is added to the skb in a
+nl attribute, but we don't account for its header size (nlattr 4 bytes)
+and alignment. We account for it when calculating the total size in
+the > PSAMPLE_MAX_PACKET_SIZE comparison correctly, but not when
+allocating after that. The fix is simple - use nla_total_size() for
+data_len when allocating.
+
+To reproduce:
+ $ tc qdisc add dev eth1 clsact
+ $ tc filter add dev eth1 egress matchall action sample rate 1 group 1 trunc 129
+ $ mausezahn eth1 -b bcast -a rand -c 1 -p 129
+ < skb_over_panic BUG(), tail is 4 bytes past skb->end >
+
+[1] Trace:
+ [ 50.459526][ T3480] skbuff: skb_over_panic: text:(____ptrval____) len:196 put:136 head:(____ptrval____) data:(____ptrval____) tail:0xc4 end:0xc0 dev:<NULL>
+ [ 50.474339][ T3480] ------------[ cut here ]------------
+ [ 50.481132][ T3480] kernel BUG at net/core/skbuff.c:108!
+ [ 50.486059][ T3480] invalid opcode: 0000 [#1] PREEMPT SMP
+ [ 50.489463][ T3480] CPU: 3 PID: 3480 Comm: mausezahn Not tainted 5.4.0-rc7 #108
+ [ 50.492844][ T3480] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+ [ 50.496551][ T3480] RIP: 0010:skb_panic+0x79/0x7b
+ [ 50.498261][ T3480] Code: bc 00 00 00 41 57 4c 89 e6 48 c7 c7 90 29 9a 83 4c 8b 8b c0 00 00 00 50 8b 83 b8 00 00 00 50 ff b3 c8 00 00 00 e8 ae ef c0 fe <0f> 0b e8 2f df c8 fe 48 8b 55 08 44 89 f6 4c 89 e7 48 c7 c1 a0 22
+ [ 50.504111][ T3480] RSP: 0018:ffffc90000447a10 EFLAGS: 00010282
+ [ 50.505835][ T3480] RAX: 0000000000000087 RBX: ffff888039317d00 RCX: 0000000000000000
+ [ 50.507900][ T3480] RDX: 0000000000000000 RSI: ffffffff812716e1 RDI: 00000000ffffffff
+ [ 50.509820][ T3480] RBP: ffffc90000447a60 R08: 0000000000000001 R09: 0000000000000000
+ [ 50.511735][ T3480] R10: ffffffff81d4f940 R11: 0000000000000000 R12: ffffffff834a22b0
+ [ 50.513494][ T3480] R13: ffffffff82c10433 R14: 0000000000000088 R15: ffffffff838a8084
+ [ 50.515222][ T3480] FS: 00007f3536462700(0000) GS:ffff88803eac0000(0000) knlGS:0000000000000000
+ [ 50.517135][ T3480] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 50.518583][ T3480] CR2: 0000000000442008 CR3: 000000003b222000 CR4: 00000000000006e0
+ [ 50.520723][ T3480] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 50.522709][ T3480] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [ 50.524450][ T3480] Call Trace:
+ [ 50.525214][ T3480] skb_put.cold+0x1b/0x1b
+ [ 50.526171][ T3480] psample_sample_packet+0x1d3/0x340
+ [ 50.527307][ T3480] tcf_sample_act+0x178/0x250
+ [ 50.528339][ T3480] tcf_action_exec+0xb1/0x190
+ [ 50.529354][ T3480] mall_classify+0x67/0x90
+ [ 50.530332][ T3480] tcf_classify+0x72/0x160
+ [ 50.531286][ T3480] __dev_queue_xmit+0x3db/0xd50
+ [ 50.532327][ T3480] dev_queue_xmit+0x18/0x20
+ [ 50.533299][ T3480] packet_sendmsg+0xee7/0x2090
+ [ 50.534331][ T3480] sock_sendmsg+0x54/0x70
+ [ 50.535271][ T3480] __sys_sendto+0x148/0x1f0
+ [ 50.536252][ T3480] ? tomoyo_file_ioctl+0x23/0x30
+ [ 50.537334][ T3480] ? ksys_ioctl+0x5e/0xb0
+ [ 50.540068][ T3480] __x64_sys_sendto+0x2a/0x30
+ [ 50.542810][ T3480] do_syscall_64+0x73/0x1f0
+ [ 50.545383][ T3480] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [ 50.548477][ T3480] RIP: 0033:0x7f35357d6fb3
+ [ 50.551020][ T3480] Code: 48 8b 0d 18 90 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 d3 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 eb f6 ff ff 48 89 04 24
+ [ 50.558547][ T3480] RSP: 002b:00007ffe0c7212c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+ [ 50.561870][ T3480] RAX: ffffffffffffffda RBX: 0000000001dac010 RCX: 00007f35357d6fb3
+ [ 50.565142][ T3480] RDX: 0000000000000082 RSI: 0000000001dac2a2 RDI: 0000000000000003
+ [ 50.568469][ T3480] RBP: 00007ffe0c7212f0 R08: 00007ffe0c7212d0 R09: 0000000000000014
+ [ 50.571731][ T3480] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000082
+ [ 50.574961][ T3480] R13: 0000000001dac2a2 R14: 0000000000000001 R15: 0000000000000003
+ [ 50.578170][ T3480] Modules linked in: sch_ingress virtio_net
+ [ 50.580976][ T3480] ---[ end trace 61a515626a595af6 ]---
+
+CC: Yotam Gigi <yotamg@mellanox.com>
+CC: Jiri Pirko <jiri@mellanox.com>
+CC: Jamal Hadi Salim <jhs@mojatatu.com>
+CC: Simon Horman <simon.horman@netronome.com>
+CC: Roopa Prabhu <roopa@cumulusnetworks.com>
+Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/psample/psample.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/psample/psample.c
++++ b/net/psample/psample.c
+@@ -223,7 +223,7 @@ void psample_sample_packet(struct psampl
+ data_len = PSAMPLE_MAX_PACKET_SIZE - meta_len - NLA_HDRLEN
+ - NLA_ALIGNTO;
+
+- nl_skb = genlmsg_new(meta_len + data_len, GFP_ATOMIC);
++ nl_skb = genlmsg_new(meta_len + nla_total_size(data_len), GFP_ATOMIC);
+ if (unlikely(!nl_skb))
+ return;
+
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:28:24 AM CET
+From: Dust Li <dust.li@linux.alibaba.com>
+Date: Thu, 28 Nov 2019 14:29:09 +0800
+Subject: net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
+
+From: Dust Li <dust.li@linux.alibaba.com>
+
+[ Upstream commit 14e54ab9143fa60794d13ea0a66c792a2046a8f3 ]
+
+When a classful qdisc's child qdisc has set the flag
+TCQ_F_CPUSTATS (pfifo_fast for example), the child qdisc's
+cpu_bstats should be passed to gnet_stats_copy_basic(),
+but many classful qdisc didn't do that. As a result,
+`tc -s class show dev DEV` always return 0 for bytes and
+packets in this case.
+
+Pass the child qdisc's cpu_bstats to gnet_stats_copy_basic()
+to fix this issue.
+
+The qstats also has this problem, but it has been fixed
+in 5dd431b6b9 ("net: sched: introduce and use qstats read...")
+and bstats still remains buggy.
+
+Fixes: 22e0f8b9322c ("net: sched: make bstats per cpu and estimator RCU safe")
+Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
+Signed-off-by: Tony Lu <tonylu@linux.alibaba.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_mq.c | 3 ++-
+ net/sched/sch_mqprio.c | 4 ++--
+ net/sched/sch_multiq.c | 2 +-
+ net/sched/sch_prio.c | 2 +-
+ 4 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/sched/sch_mq.c
++++ b/net/sched/sch_mq.c
+@@ -191,7 +191,8 @@ static int mq_dump_class_stats(struct Qd
+ struct netdev_queue *dev_queue = mq_queue_get(sch, cl);
+
+ sch = dev_queue->qdisc_sleeping;
+- if (gnet_stats_copy_basic(&sch->running, d, NULL, &sch->bstats) < 0 ||
++ if (gnet_stats_copy_basic(&sch->running, d, sch->cpu_bstats,
++ &sch->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &sch->qstats, sch->q.qlen) < 0)
+ return -1;
+ return 0;
+--- a/net/sched/sch_mqprio.c
++++ b/net/sched/sch_mqprio.c
+@@ -366,8 +366,8 @@ static int mqprio_dump_class_stats(struc
+ struct netdev_queue *dev_queue = mqprio_queue_get(sch, cl);
+
+ sch = dev_queue->qdisc_sleeping;
+- if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
+- d, NULL, &sch->bstats) < 0 ||
++ if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch), d,
++ sch->cpu_bstats, &sch->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL,
+ &sch->qstats, sch->q.qlen) < 0)
+ return -1;
+--- a/net/sched/sch_multiq.c
++++ b/net/sched/sch_multiq.c
+@@ -340,7 +340,7 @@ static int multiq_dump_class_stats(struc
+
+ cl_q = q->queues[cl - 1];
+ if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
+- d, NULL, &cl_q->bstats) < 0 ||
++ d, cl_q->cpu_bstats, &cl_q->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &cl_q->qstats, cl_q->q.qlen) < 0)
+ return -1;
+
+--- a/net/sched/sch_prio.c
++++ b/net/sched/sch_prio.c
+@@ -298,7 +298,7 @@ static int prio_dump_class_stats(struct
+
+ cl_q = q->queues[cl - 1];
+ if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
+- d, NULL, &cl_q->bstats) < 0 ||
++ d, cl_q->cpu_bstats, &cl_q->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &cl_q->qstats, cl_q->q.qlen) < 0)
+ return -1;
+
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:47:42 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Sun, 1 Dec 2019 18:41:24 +0100
+Subject: openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 8ffeb03fbba3b599690b361467bfd2373e8c450f ]
+
+All the callers of ovs_flow_cmd_build_info() already deal with
+error return code correctly, so we can handle the error condition
+in a more gracefull way. Still dump a warning to preserve
+debuggability.
+
+v1 -> v2:
+ - clarify the commit message
+ - clean the skb and report the error (DaveM)
+
+Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -906,7 +906,10 @@ static struct sk_buff *ovs_flow_cmd_buil
+ retval = ovs_flow_cmd_fill_info(flow, dp_ifindex, skb,
+ info->snd_portid, info->snd_seq, 0,
+ cmd, ufid_flags);
+- BUG_ON(retval < 0);
++ if (WARN_ON_ONCE(retval < 0)) {
++ kfree_skb(skb);
++ skb = ERR_PTR(retval);
++ }
+ return skb;
+ }
+
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:47:42 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 26 Nov 2019 12:55:50 +0100
+Subject: openvswitch: fix flow command message size
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 4e81c0b3fa93d07653e2415fa71656b080a112fd ]
+
+When user-space sets the OVS_UFID_F_OMIT_* flags, and the relevant
+flow has no UFID, we can exceed the computed size, as
+ovs_nla_put_identifier() will always dump an OVS_FLOW_ATTR_KEY
+attribute.
+Take the above in account when computing the flow command message
+size.
+
+Fixes: 74ed7ab9264c ("openvswitch: Add support for unique flow IDs.")
+Reported-by: Qi Jun Ding <qding@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -724,9 +724,13 @@ static size_t ovs_flow_cmd_msg_size(cons
+ {
+ size_t len = NLMSG_ALIGN(sizeof(struct ovs_header));
+
+- /* OVS_FLOW_ATTR_UFID */
++ /* OVS_FLOW_ATTR_UFID, or unmasked flow key as fallback
++ * see ovs_nla_put_identifier()
++ */
+ if (sfid && ovs_identifier_is_ufid(sfid))
+ len += nla_total_size(sfid->ufid_len);
++ else
++ len += nla_total_size(ovs_key_attr_size());
+
+ /* OVS_FLOW_ATTR_KEY */
+ if (!sfid || should_fill_key(sfid, ufid_flags))
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:47:42 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Sun, 1 Dec 2019 18:41:25 +0100
+Subject: openvswitch: remove another BUG_ON()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 8a574f86652a4540a2433946ba826ccb87f398cc ]
+
+If we can't build the flow del notification, we can simply delete
+the flow, no need to crash the kernel. Still keep a WARN_ON to
+preserve debuggability.
+
+Note: the BUG_ON() predates the Fixes tag, but this change
+can be applied only after the mentioned commit.
+
+v1 -> v2:
+ - do not leak an skb on error
+
+Fixes: aed067783e50 ("openvswitch: Minimize ovs_flow_cmd_del critical section.")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -1372,7 +1372,10 @@ static int ovs_flow_cmd_del(struct sk_bu
+ OVS_FLOW_CMD_DEL,
+ ufid_flags);
+ rcu_read_unlock();
+- BUG_ON(err < 0);
++ if (WARN_ON_ONCE(err < 0)) {
++ kfree_skb(reply);
++ goto out_free;
++ }
+
+ ovs_notify(&dp_flow_genl_family, reply, info);
+ } else {
+@@ -1380,6 +1383,7 @@ static int ovs_flow_cmd_del(struct sk_bu
+ }
+ }
+
++out_free:
+ ovs_flow_free(flow, true);
+ return 0;
+ unlock:
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:28:24 AM CET
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 23 Nov 2019 11:56:49 +0800
+Subject: sctp: cache netns in sctp_ep_common
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 312434617cb16be5166316cf9d08ba760b1042a1 ]
+
+This patch is to fix a data-race reported by syzbot:
+
+ BUG: KCSAN: data-race in sctp_assoc_migrate / sctp_hash_obj
+
+ write to 0xffff8880b67c0020 of 8 bytes by task 18908 on cpu 1:
+ sctp_assoc_migrate+0x1a6/0x290 net/sctp/associola.c:1091
+ sctp_sock_migrate+0x8aa/0x9b0 net/sctp/socket.c:9465
+ sctp_accept+0x3c8/0x470 net/sctp/socket.c:4916
+ inet_accept+0x7f/0x360 net/ipv4/af_inet.c:734
+ __sys_accept4+0x224/0x430 net/socket.c:1754
+ __do_sys_accept net/socket.c:1795 [inline]
+ __se_sys_accept net/socket.c:1792 [inline]
+ __x64_sys_accept+0x4e/0x60 net/socket.c:1792
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ read to 0xffff8880b67c0020 of 8 bytes by task 12003 on cpu 0:
+ sctp_hash_obj+0x4f/0x2d0 net/sctp/input.c:894
+ rht_key_get_hash include/linux/rhashtable.h:133 [inline]
+ rht_key_hashfn include/linux/rhashtable.h:159 [inline]
+ rht_head_hashfn include/linux/rhashtable.h:174 [inline]
+ head_hashfn lib/rhashtable.c:41 [inline]
+ rhashtable_rehash_one lib/rhashtable.c:245 [inline]
+ rhashtable_rehash_chain lib/rhashtable.c:276 [inline]
+ rhashtable_rehash_table lib/rhashtable.c:316 [inline]
+ rht_deferred_worker+0x468/0xab0 lib/rhashtable.c:420
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+It was caused by rhashtable access asoc->base.sk when sctp_assoc_migrate
+is changing its value. However, what rhashtable wants is netns from asoc
+base.sk, and for an asoc, its netns won't change once set. So we can
+simply fix it by caching netns since created.
+
+Fixes: d6c0256a60e6 ("sctp: add the rhashtable apis for sctp global transport hashtable")
+Reported-by: syzbot+e3b35fe7918ff0ee474e@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sctp/structs.h | 3 +++
+ net/sctp/associola.c | 1 +
+ net/sctp/endpointola.c | 1 +
+ net/sctp/input.c | 4 ++--
+ 4 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -1181,6 +1181,9 @@ struct sctp_ep_common {
+ /* What socket does this endpoint belong to? */
+ struct sock *sk;
+
++ /* Cache netns and it won't change once set */
++ struct net *net;
++
+ /* This is where we receive inbound chunks. */
+ struct sctp_inq inqueue;
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -80,6 +80,7 @@ static struct sctp_association *sctp_ass
+ /* Discarding const is appropriate here. */
+ asoc->ep = (struct sctp_endpoint *)ep;
+ asoc->base.sk = (struct sock *)sk;
++ asoc->base.net = sock_net(sk);
+
+ sctp_endpoint_hold(asoc->ep);
+ sock_hold(asoc->base.sk);
+--- a/net/sctp/endpointola.c
++++ b/net/sctp/endpointola.c
+@@ -165,6 +165,7 @@ static struct sctp_endpoint *sctp_endpoi
+
+ /* Remember who we are attached to. */
+ ep->base.sk = sk;
++ ep->base.net = sock_net(sk);
+ sock_hold(ep->base.sk);
+
+ return ep;
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -813,7 +813,7 @@ static inline int sctp_hash_cmp(struct r
+ if (!sctp_transport_hold(t))
+ return err;
+
+- if (!net_eq(sock_net(t->asoc->base.sk), x->net))
++ if (!net_eq(t->asoc->base.net, x->net))
+ goto out;
+ if (x->lport != htons(t->asoc->base.bind_addr.port))
+ goto out;
+@@ -828,7 +828,7 @@ static inline __u32 sctp_hash_obj(const
+ {
+ const struct sctp_transport *t = data;
+ const union sctp_addr *paddr = &t->ipaddr;
+- const struct net *net = sock_net(t->asoc->base.sk);
++ const struct net *net = t->asoc->base.net;
+ __be16 lport = htons(t->asoc->base.bind_addr.port);
+ __u32 addr;
+
pwm-clear-chip_data-in-pwm_put.patch
media-atmel-atmel-isc-fix-asd-memory-allocation.patch
media-atmel-atmel-isc-fix-init_work-misplacement.patch
+macvlan-schedule-bc_work-even-if-error.patch
+net-psample-fix-skb_over_panic.patch
+openvswitch-fix-flow-command-message-size.patch
+slip-fix-use-after-free-read-in-slip_open.patch
+openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch
+openvswitch-remove-another-bug_on.patch
+tipc-fix-link-name-length-check.patch
+sctp-cache-netns-in-sctp_ep_common.patch
+net-sched-fix-tc-s-class-show-no-bstats-on-class-with-nolock-subqueues.patch
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:47:42 AM CET
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Mon, 25 Nov 2019 14:23:43 +0200
+Subject: slip: Fix use-after-free Read in slip_open
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+[ Upstream commit e58c1912418980f57ba2060017583067f5f71e52 ]
+
+Slip_open doesn't clean-up device which registration failed from the
+slip_devs device list. On next open after failure this list is iterated
+and freed device is accessed. Fix this by calling sl_free_netdev in error
+path.
+
+Here is the trace from the Syzbot:
+
+__dump_stack lib/dump_stack.c:77 [inline]
+dump_stack+0x197/0x210 lib/dump_stack.c:118
+print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+kasan_report+0x12/0x20 mm/kasan/common.c:634
+__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+sl_sync drivers/net/slip/slip.c:725 [inline]
+slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
+tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
+tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
+tiocsetd drivers/tty/tty_io.c:2334 [inline]
+tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
+vfs_ioctl fs/ioctl.c:46 [inline]
+file_ioctl fs/ioctl.c:509 [inline]
+do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
+ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+__do_sys_ioctl fs/ioctl.c:720 [inline]
+__se_sys_ioctl fs/ioctl.c:718 [inline]
+__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
+entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
+Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
+Cc: David Miller <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -859,6 +859,7 @@ err_free_chan:
+ sl->tty = NULL;
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
++ sl_free_netdev(sl->dev);
+ free_netdev(sl->dev);
+
+ err_exit:
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:47:42 AM CET
+From: John Rutherford <john.rutherford@dektech.com.au>
+Date: Tue, 26 Nov 2019 13:52:55 +1100
+Subject: tipc: fix link name length check
+
+From: John Rutherford <john.rutherford@dektech.com.au>
+
+[ Upstream commit fd567ac20cb0377ff466d3337e6e9ac5d0cb15e4 ]
+
+In commit 4f07b80c9733 ("tipc: check msg->req data len in
+tipc_nl_compat_bearer_disable") the same patch code was copied into
+routines: tipc_nl_compat_bearer_disable(),
+tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
+The two link routine occurrences should have been modified to check
+the maximum link name length and not bearer name length.
+
+Fixes: 4f07b80c9733 ("tipc: check msg->reg data len in tipc_nl_compat_bearer_disable")
+Signed-off-by: John Rutherford <john.rutherford@dektech.com.au>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -539,7 +539,7 @@ static int tipc_nl_compat_link_stat_dump
+ if (len <= 0)
+ return -EINVAL;
+
+- len = min_t(int, len, TIPC_MAX_BEARER_NAME);
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
+@@ -821,7 +821,7 @@ static int tipc_nl_compat_link_reset_sta
+ if (len <= 0)
+ return -EINVAL;
+
+- len = min_t(int, len, TIPC_MAX_BEARER_NAME);
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
