--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Mateusz Jurczyk <mjurczyk@google.com>
+Date: Thu, 8 Jun 2017 11:13:36 +0200
+Subject: af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers
+
+From: Mateusz Jurczyk <mjurczyk@google.com>
+
+
+[ Upstream commit defbcf2decc903a28d8398aa477b6881e711e3ea ]
+
+Verify that the caller-provided sockaddr structure is large enough to
+contain the sa_family field, before accessing it in bind() and connect()
+handlers of the AF_UNIX socket. Since neither syscall enforces a minimum
+size of the corresponding memory region, very short sockaddrs (zero or
+one byte long) result in operating on uninitialized memory while
+referencing .sa_family.
+
+Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -997,7 +997,8 @@ static int unix_bind(struct socket *sock
+ struct path path = { NULL, NULL };
+
+ err = -EINVAL;
+- if (sunaddr->sun_family != AF_UNIX)
++ if (addr_len < offsetofend(struct sockaddr_un, sun_family) ||
++ sunaddr->sun_family != AF_UNIX)
+ goto out;
+
+ if (addr_len == sizeof(short)) {
+@@ -1108,6 +1109,10 @@ static int unix_dgram_connect(struct soc
+ unsigned int hash;
+ int err;
+
++ err = -EINVAL;
++ if (alen < offsetofend(struct sockaddr, sa_family))
++ goto out;
++
+ if (addr->sa_family != AF_UNSPEC) {
+ err = unix_mkname(sunaddr, alen, &hash);
+ if (err < 0)
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Wei Wang <weiwan@google.com>
+Date: Fri, 16 Jun 2017 10:46:37 -0700
+Subject: decnet: always not take dst->__refcnt when inserting dst into hash table
+
+From: Wei Wang <weiwan@google.com>
+
+
+[ Upstream commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f ]
+
+In the existing dn_route.c code, dn_route_output_slow() takes
+dst->__refcnt before calling dn_insert_route() while dn_route_input_slow()
+does not take dst->__refcnt before calling dn_insert_route().
+This makes the whole routing code very buggy.
+In dn_dst_check_expire(), dnrt_free() is called when rt expires. This
+makes the routes inserted by dn_route_output_slow() not able to be
+freed as the refcnt is not released.
+In dn_dst_gc(), dnrt_drop() is called to release rt which could
+potentially cause the dst->__refcnt to be dropped to -1.
+In dn_run_flush(), dst_free() is called to release all the dst. Again,
+it makes the dst inserted by dn_route_output_slow() not able to be
+released and also, it does not wait on the rcu and could potentially
+cause crash in the path where other users still refer to this dst.
+
+This patch makes sure both input and output path do not take
+dst->__refcnt before calling dn_insert_route() and also makes sure
+dnrt_free()/dst_free() is called when removing dst from the hash table.
+The only difference between those 2 calls is that dnrt_free() waits on
+the rcu while dst_free() does not.
+
+Signed-off-by: Wei Wang <weiwan@google.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/decnet/dn_route.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+--- a/net/decnet/dn_route.c
++++ b/net/decnet/dn_route.c
+@@ -188,12 +188,6 @@ static inline void dnrt_free(struct dn_r
+ call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
+ }
+
+-static inline void dnrt_drop(struct dn_route *rt)
+-{
+- dst_release(&rt->dst);
+- call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
+-}
+-
+ static void dn_dst_check_expire(unsigned long dummy)
+ {
+ int i;
+@@ -248,7 +242,7 @@ static int dn_dst_gc(struct dst_ops *ops
+ }
+ *rtp = rt->dst.dn_next;
+ rt->dst.dn_next = NULL;
+- dnrt_drop(rt);
++ dnrt_free(rt);
+ break;
+ }
+ spin_unlock_bh(&dn_rt_hash_table[i].lock);
+@@ -350,7 +344,7 @@ static int dn_insert_route(struct dn_rou
+ dst_use(&rth->dst, now);
+ spin_unlock_bh(&dn_rt_hash_table[hash].lock);
+
+- dnrt_drop(rt);
++ dst_free(&rt->dst);
+ *rp = rth;
+ return 0;
+ }
+@@ -380,7 +374,7 @@ static void dn_run_flush(unsigned long d
+ for(; rt; rt = next) {
+ next = rcu_dereference_raw(rt->dst.dn_next);
+ RCU_INIT_POINTER(rt->dst.dn_next, NULL);
+- dst_free((struct dst_entry *)rt);
++ dnrt_free(rt);
+ }
+
+ nothing_to_declare:
+@@ -1187,7 +1181,7 @@ make_route:
+ if (dev_out->flags & IFF_LOOPBACK)
+ flags |= RTCF_LOCAL;
+
+- rt = dst_alloc(&dn_dst_ops, dev_out, 1, DST_OBSOLETE_NONE, DST_HOST);
++ rt = dst_alloc(&dn_dst_ops, dev_out, 0, DST_OBSOLETE_NONE, DST_HOST);
+ if (rt == NULL)
+ goto e_nobufs;
+
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Mateusz Jurczyk <mjurczyk@google.com>
+Date: Wed, 7 Jun 2017 16:14:29 +0200
+Subject: decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
+
+From: Mateusz Jurczyk <mjurczyk@google.com>
+
+
+[ Upstream commit dd0da17b209ed91f39872766634ca967c170ada1 ]
+
+Verify that the length of the socket buffer is sufficient to cover the
+nlmsghdr structure before accessing the nlh->nlmsg_len field for further
+input sanitization. If the client only supplies 1-3 bytes of data in
+sk_buff, then nlh->nlmsg_len remains partially uninitialized and
+contains leftover memory from the corresponding kernel allocation.
+Operating on such data may result in indeterminate evaluation of the
+nlmsg_len < sizeof(*nlh) expression.
+
+The bug was discovered by a runtime instrumentation designed to detect
+use of uninitialized memory in the kernel. The patch prevents this and
+other similar tools (e.g. KMSAN) from flagging this behavior in the future.
+
+Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/decnet/netfilter/dn_rtmsg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/decnet/netfilter/dn_rtmsg.c
++++ b/net/decnet/netfilter/dn_rtmsg.c
+@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_sk
+ {
+ struct nlmsghdr *nlh = nlmsg_hdr(skb);
+
+- if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
++ if (skb->len < sizeof(*nlh) ||
++ nlh->nlmsg_len < sizeof(*nlh) ||
++ skb->len < nlh->nlmsg_len)
+ return;
+
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Krister Johansen <kjlx@templeofstupid.com>
+Date: Thu, 8 Jun 2017 13:12:38 -0700
+Subject: Fix an intermittent pr_emerg warning about lo becoming free.
+
+From: Krister Johansen <kjlx@templeofstupid.com>
+
+
+[ Upstream commit f186ce61bb8235d80068c390dc2aad7ca427a4c2 ]
+
+It looks like this:
+
+Message from syslogd@flamingo at Apr 26 00:45:00 ...
+ kernel:unregister_netdevice: waiting for lo to become free. Usage count = 4
+
+They seem to coincide with net namespace teardown.
+
+The message is emitted by netdev_wait_allrefs().
+
+Forced a kdump in netdev_run_todo, but found that the refcount on the lo
+device was already 0 at the time we got to the panic.
+
+Used bcc to check the blocking in netdev_run_todo. The only places
+where we're off cpu there are in the rcu_barrier() and msleep() calls.
+That behavior is expected. The msleep time coincides with the amount of
+time we spend waiting for the refcount to reach zero; the rcu_barrier()
+wait times are not excessive.
+
+After looking through the list of callbacks that the netdevice notifiers
+invoke in this path, it appears that the dst_dev_event is the most
+interesting. The dst_ifdown path places a hold on the loopback_dev as
+part of releasing the dev associated with the original dst cache entry.
+Most of our notifier callbacks are straight-forward, but this one a)
+looks complex, and b) places a hold on the network interface in
+question.
+
+I constructed a new bcc script that watches various events in the
+liftime of a dst cache entry. Note that dst_ifdown will take a hold on
+the loopback device until the invalidated dst entry gets freed.
+
+[ __dst_free] on DST: ffff883ccabb7900 IF tap1008300eth0 invoked at 1282115677036183
+ __dst_free
+ rcu_nocb_kthread
+ kthread
+ ret_from_fork
+Acked-by: Eric Dumazet <edumazet@google.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dst.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -462,6 +462,20 @@ static int dst_dev_event(struct notifier
+ spin_lock_bh(&dst_garbage.lock);
+ dst = dst_garbage.list;
+ dst_garbage.list = NULL;
++ /* The code in dst_ifdown places a hold on the loopback device.
++ * If the gc entry processing is set to expire after a lengthy
++ * interval, this hold can cause netdev_wait_allrefs() to hang
++ * out and wait for a long time -- until the the loopback
++ * interface is released. If we're really unlucky, it'll emit
++ * pr_emerg messages to console too. Reset the interval here,
++ * so dst cleanups occur in a more timely fashion.
++ */
++ if (dst_garbage.timer_inc > DST_GC_INC) {
++ dst_garbage.timer_inc = DST_GC_INC;
++ dst_garbage.timer_expires = DST_GC_MIN;
++ mod_delayed_work(system_wq, &dst_gc_work,
++ dst_garbage.timer_expires);
++ }
+ spin_unlock_bh(&dst_garbage.lock);
+
+ if (last)
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 12 Jun 2017 09:52:26 -0700
+Subject: igmp: acquire pmc lock for ip_mc_clear_src()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit c38b7d327aafd1e3ad7ff53eefac990673b65667 ]
+
+Andrey reported a use-after-free in add_grec():
+
+ for (psf = *psf_list; psf; psf = psf_next) {
+ ...
+ psf_next = psf->sf_next;
+
+where the struct ip_sf_list's were already freed by:
+
+ kfree+0xe8/0x2b0 mm/slub.c:3882
+ ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078
+ ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618
+ ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609
+ inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ sock_close+0x16/0x20 net/socket.c:1072
+
+This happens because we don't hold pmc->lock in ip_mc_clear_src()
+and a parallel mr_ifc_timer timer could jump in and access them.
+
+The RCU lock is there but it is merely for pmc itself, this
+spinlock could actually ensure we don't access them in parallel.
+
+Thanks to Eric and Long for discussion on this bug.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -2026,21 +2026,26 @@ static int ip_mc_add_src(struct in_devic
+
+ static void ip_mc_clear_src(struct ip_mc_list *pmc)
+ {
+- struct ip_sf_list *psf, *nextpsf;
++ struct ip_sf_list *psf, *nextpsf, *tomb, *sources;
+
+- for (psf = pmc->tomb; psf; psf = nextpsf) {
++ spin_lock_bh(&pmc->lock);
++ tomb = pmc->tomb;
++ pmc->tomb = NULL;
++ sources = pmc->sources;
++ pmc->sources = NULL;
++ pmc->sfmode = MCAST_EXCLUDE;
++ pmc->sfcount[MCAST_INCLUDE] = 0;
++ pmc->sfcount[MCAST_EXCLUDE] = 1;
++ spin_unlock_bh(&pmc->lock);
++
++ for (psf = tomb; psf; psf = nextpsf) {
+ nextpsf = psf->sf_next;
+ kfree(psf);
+ }
+- pmc->tomb = NULL;
+- for (psf = pmc->sources; psf; psf = nextpsf) {
++ for (psf = sources; psf; psf = nextpsf) {
+ nextpsf = psf->sf_next;
+ kfree(psf);
+ }
+- pmc->sources = NULL;
+- pmc->sfmode = MCAST_EXCLUDE;
+- pmc->sfcount[MCAST_INCLUDE] = 0;
+- pmc->sfcount[MCAST_EXCLUDE] = 1;
+ }
+
+ /* Join a multicast group
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Tue, 20 Jun 2017 10:46:27 -0700
+Subject: igmp: add a missing spin_lock_init()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit b4846fc3c8559649277e3e4e6b5cec5348a8d208 ]
+
+Andrey reported a lockdep warning on non-initialized
+spinlock:
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755
+ ? 0xffffffffa0000000
+ __lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255
+ lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855
+ __raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135
+ _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175
+ spin_lock_bh ./include/linux/spinlock.h:304
+ ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076
+ igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194
+ ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736
+
+We miss a spin_lock_init() in igmpv3_add_delrec(), probably
+because previously we never use it on this code path. Since
+we already unlink it from the global mc_tomb list, it is
+probably safe not to acquire this spinlock here. It does not
+harm to have it although, to avoid conditional locking.
+
+Fixes: c38b7d327aaf ("igmp: acquire pmc lock for ip_mc_clear_src()")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1102,6 +1102,7 @@ static void igmpv3_add_delrec(struct in_
+ pmc = kzalloc(sizeof(*pmc), GFP_KERNEL);
+ if (!pmc)
+ return;
++ spin_lock_init(&pmc->lock);
+ spin_lock_bh(&im->lock);
+ pmc->interface = im->interface;
+ in_dev_hold(in_dev);
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Serhey Popovych <serhe.popovych@gmail.com>
+Date: Tue, 20 Jun 2017 13:29:25 +0300
+Subject: ipv6: Do not leak throw route references
+
+From: Serhey Popovych <serhe.popovych@gmail.com>
+
+
+[ Upstream commit 07f615574f8ac499875b21c1142f26308234a92c ]
+
+While commit 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
+does good job on error propagation to the fib_rules_lookup()
+in fib rules core framework that also corrects throw routes
+handling, it does not solve route reference leakage problem
+happened when we return -EAGAIN to the fib_rules_lookup()
+and leave routing table entry referenced in arg->result.
+
+If rule with matched throw route isn't last matched in the
+list we overwrite arg->result losing reference on throw
+route stored previously forever.
+
+We also partially revert commit ab997ad40839 ("ipv6: fix the
+incorrect return value of throw route") since we never return
+routing table entry with dst.error == -EAGAIN when
+CONFIG_IPV6_MULTIPLE_TABLES is on. Also there is no point
+to check for RTF_REJECT flag since it is always set throw
+route.
+
+Fixes: 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
+Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/fib6_rules.c | 22 ++++++----------------
+ net/ipv6/ip6_fib.c | 3 +--
+ 2 files changed, 7 insertions(+), 18 deletions(-)
+
+--- a/net/ipv6/fib6_rules.c
++++ b/net/ipv6/fib6_rules.c
+@@ -32,7 +32,6 @@ struct fib6_rule {
+ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
+ int flags, pol_lookup_t lookup)
+ {
+- struct rt6_info *rt;
+ struct fib_lookup_arg arg = {
+ .lookup_ptr = lookup,
+ .flags = FIB_LOOKUP_NOREF,
+@@ -41,21 +40,11 @@ struct dst_entry *fib6_rule_lookup(struc
+ fib_rules_lookup(net->ipv6.fib6_rules_ops,
+ flowi6_to_flowi(fl6), flags, &arg);
+
+- rt = arg.result;
++ if (arg.result)
++ return arg.result;
+
+- if (!rt) {
+- dst_hold(&net->ipv6.ip6_null_entry->dst);
+- return &net->ipv6.ip6_null_entry->dst;
+- }
+-
+- if (rt->rt6i_flags & RTF_REJECT &&
+- rt->dst.error == -EAGAIN) {
+- ip6_rt_put(rt);
+- rt = net->ipv6.ip6_null_entry;
+- dst_hold(&rt->dst);
+- }
+-
+- return &rt->dst;
++ dst_hold(&net->ipv6.ip6_null_entry->dst);
++ return &net->ipv6.ip6_null_entry->dst;
+ }
+
+ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
+@@ -116,7 +105,8 @@ static int fib6_rule_action(struct fib_r
+ flp6->saddr = saddr;
+ }
+ err = rt->dst.error;
+- goto out;
++ if (err != -EAGAIN)
++ goto out;
+ }
+ again:
+ ip6_rt_put(rt);
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -290,8 +290,7 @@ struct dst_entry *fib6_rule_lookup(struc
+ struct rt6_info *rt;
+
+ rt = lookup(net, net->ipv6.fib6_main_tbl, fl6, flags);
+- if (rt->rt6i_flags & RTF_REJECT &&
+- rt->dst.error == -EAGAIN) {
++ if (rt->dst.error == -EAGAIN) {
+ ip6_rt_put(rt);
+ rt = net->ipv6.ip6_null_entry;
+ dst_hold(&rt->dst);
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 15 Jun 2017 16:33:58 +0800
+Subject: ipv6: fix calling in6_ifa_hold incorrectly for dad work
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit f8a894b218138888542a5058d0e902378fd0d4ec ]
+
+Now when starting the dad work in addrconf_mod_dad_work, if the dad work
+is idle and queued, it needs to hold ifa.
+
+The problem is there's one gap in [1], during which if the pending dad work
+is removed elsewhere. It will miss to hold ifa, but the dad word is still
+idea and queue.
+
+ if (!delayed_work_pending(&ifp->dad_work))
+ in6_ifa_hold(ifp);
+ <--------------[1]
+ mod_delayed_work(addrconf_wq, &ifp->dad_work, delay);
+
+An use-after-free issue can be caused by this.
+
+Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in
+net6_ifa_finish_destroy was hit because of it.
+
+As Hannes' suggestion, this patch is to fix it by holding ifa first in
+addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if
+the dad_work is already in queue.
+
+Note that this patch did not choose to fix it with:
+
+ if (!mod_delayed_work(delay))
+ in6_ifa_hold(ifp);
+
+As with it, when delay == 0, dad_work would be scheduled immediately, all
+addrconf_mod_dad_work(0) callings had to be moved under ifp->lock.
+
+Reported-by: Wei Chen <weichen@redhat.com>
+Suggested-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -291,9 +291,9 @@ static void addrconf_mod_rs_timer(struct
+ static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp,
+ unsigned long delay)
+ {
+- if (!delayed_work_pending(&ifp->dad_work))
+- in6_ifa_hold(ifp);
+- mod_delayed_work(addrconf_wq, &ifp->dad_work, delay);
++ in6_ifa_hold(ifp);
++ if (mod_delayed_work(addrconf_wq, &ifp->dad_work, delay))
++ in6_ifa_put(ifp);
+ }
+
+ static int snmp6_alloc_dev(struct inet6_dev *idev)
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Fri, 16 Jun 2017 15:00:02 +0800
+Subject: net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
+
+From: Gao Feng <gfree.wind@vip.163.com>
+
+
+[ Upstream commit 9745e362add89432d2c951272a99b0a5fe4348a9 ]
+
+The register_vlan_device would invoke free_netdev directly, when
+register_vlan_dev failed. It would trigger the BUG_ON in free_netdev
+if the dev was already registered. In this case, the netdev would be
+freed in netdev_run_todo later.
+
+So add one condition check now. Only when dev is not registered, then
+free it directly.
+
+The following is the part coredump when netdev_upper_dev_link failed
+in register_vlan_dev. I removed the lines which are too long.
+
+[ 411.237457] ------------[ cut here ]------------
+[ 411.237458] kernel BUG at net/core/dev.c:7998!
+[ 411.237484] invalid opcode: 0000 [#1] SMP
+[ 411.237705] [last unloaded: 8021q]
+[ 411.237718] CPU: 1 PID: 12845 Comm: vconfig Tainted: G E 4.12.0-rc5+ #6
+[ 411.237737] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
+[ 411.237764] task: ffff9cbeb6685580 task.stack: ffffa7d2807d8000
+[ 411.237782] RIP: 0010:free_netdev+0x116/0x120
+[ 411.237794] RSP: 0018:ffffa7d2807dbdb0 EFLAGS: 00010297
+[ 411.237808] RAX: 0000000000000002 RBX: ffff9cbeb6ba8fd8 RCX: 0000000000001878
+[ 411.237826] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 0000000000000000
+[ 411.237844] RBP: ffffa7d2807dbdc8 R08: 0002986100029841 R09: 0002982100029801
+[ 411.237861] R10: 0004000100029980 R11: 0004000100029980 R12: ffff9cbeb6ba9000
+[ 411.238761] R13: ffff9cbeb6ba9060 R14: ffff9cbe60f1a000 R15: ffff9cbeb6ba9000
+[ 411.239518] FS: 00007fb690d81700(0000) GS:ffff9cbebb640000(0000) knlGS:0000000000000000
+[ 411.239949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 411.240454] CR2: 00007f7115624000 CR3: 0000000077cdf000 CR4: 00000000003406e0
+[ 411.240936] Call Trace:
+[ 411.241462] vlan_ioctl_handler+0x3f1/0x400 [8021q]
+[ 411.241910] sock_ioctl+0x18b/0x2c0
+[ 411.242394] do_vfs_ioctl+0xa1/0x5d0
+[ 411.242853] ? sock_alloc_file+0xa6/0x130
+[ 411.243465] SyS_ioctl+0x79/0x90
+[ 411.243900] entry_SYSCALL_64_fastpath+0x1e/0xa9
+[ 411.244425] RIP: 0033:0x7fb69089a357
+[ 411.244863] RSP: 002b:00007ffcd04e0fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[ 411.245445] RAX: ffffffffffffffda RBX: 00007ffcd04e2884 RCX: 00007fb69089a357
+[ 411.245903] RDX: 00007ffcd04e0fd0 RSI: 0000000000008983 RDI: 0000000000000003
+[ 411.246527] RBP: 00007ffcd04e0fd0 R08: 0000000000000000 R09: 1999999999999999
+[ 411.246976] R10: 000000000000053f R11: 0000000000000202 R12: 0000000000000004
+[ 411.247414] R13: 00007ffcd04e1128 R14: 00007ffcd04e2888 R15: 0000000000000001
+[ 411.249129] RIP: free_netdev+0x116/0x120 RSP: ffffa7d2807dbdb0
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -278,7 +278,8 @@ static int register_vlan_device(struct n
+ return 0;
+
+ out_free_newdev:
+- free_netdev(new_dev);
++ if (new_dev->reg_state == NETREG_UNINITIALIZED)
++ free_netdev(new_dev);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Sat, 10 Jun 2017 16:49:39 +0800
+Subject: net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit f146e872eb12ebbe92d8e583b2637e0741440db3 ]
+
+The kernel may sleep under a rcu read lock in cfpkt_create_pfx, and the
+function call path is:
+cfcnfg_linkup_rsp (acquire the lock by rcu_read_lock)
+ cfctrl_linkdown_req
+ cfpkt_create
+ cfpkt_create_pfx
+ alloc_skb(GFP_KERNEL) --> may sleep
+cfserl_receive (acquire the lock by rcu_read_lock)
+ cfpkt_split
+ cfpkt_create_pfx
+ alloc_skb(GFP_KERNEL) --> may sleep
+
+There is "in_interrupt" in cfpkt_create_pfx to decide use "GFP_KERNEL" or
+"GFP_ATOMIC". In this situation, "GFP_KERNEL" is used because the function
+is called under a rcu read lock, instead in interrupt.
+
+To fix it, only "GFP_ATOMIC" is used in cfpkt_create_pfx.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/cfpkt_skbuff.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/caif/cfpkt_skbuff.c
++++ b/net/caif/cfpkt_skbuff.c
+@@ -81,11 +81,7 @@ static struct cfpkt *cfpkt_create_pfx(u1
+ {
+ struct sk_buff *skb;
+
+- if (likely(in_interrupt()))
+- skb = alloc_skb(len + pfx, GFP_ATOMIC);
+- else
+- skb = alloc_skb(len + pfx, GFP_KERNEL);
+-
++ skb = alloc_skb(len + pfx, GFP_ATOMIC);
+ if (unlikely(skb == NULL))
+ return NULL;
+
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Tue, 6 Jun 2017 15:56:54 +0200
+Subject: net: don't call strlen on non-terminated string in dev_set_alias()
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit c28294b941232931fbd714099798eb7aa7e865d7 ]
+
+KMSAN reported a use of uninitialized memory in dev_set_alias(),
+which was caused by calling strlcpy() (which in turn called strlen())
+on the user-supplied non-terminated string.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1246,8 +1246,9 @@ int dev_set_alias(struct net_device *dev
+ if (!new_ifalias)
+ return -ENOMEM;
+ dev->ifalias = new_ifalias;
++ memcpy(dev->ifalias, alias, len);
++ dev->ifalias[len] = 0;
+
+- strlcpy(dev->ifalias, alias, len+1);
+ return len;
+ }
+
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Eli Cohen <eli@mellanox.com>
+Date: Thu, 8 Jun 2017 11:33:16 -0500
+Subject: net/mlx5: Wait for FW readiness before initializing command interface
+
+From: Eli Cohen <eli@mellanox.com>
+
+
+[ Upstream commit 6c780a0267b8a1075f40b39851132eeaefefcff5 ]
+
+Before attempting to initialize the command interface we must wait till
+the fw_initializing bit is clear.
+
+If we fail to meet this condition the hardware will drop our
+configuration, specifically the descriptors page address. This scenario
+can happen when the firmware is still executing an FLR flow and did not
+finish yet so the driver needs to wait for that to finish.
+
+Fixes: e3297246c2c8 ('net/mlx5_core: Wait for FW readiness on startup')
+Signed-off-by: Eli Cohen <eli@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -153,8 +153,9 @@ static struct mlx5_profile profile[] = {
+ },
+ };
+
+-#define FW_INIT_TIMEOUT_MILI 2000
+-#define FW_INIT_WAIT_MS 2
++#define FW_INIT_TIMEOUT_MILI 2000
++#define FW_INIT_WAIT_MS 2
++#define FW_PRE_INIT_TIMEOUT_MILI 10000
+
+ static int wait_fw_init(struct mlx5_core_dev *dev, u32 max_wait_mili)
+ {
+@@ -934,6 +935,15 @@ static int mlx5_load_one(struct mlx5_cor
+ */
+ dev->state = MLX5_DEVICE_STATE_UP;
+
++ /* wait for firmware to accept initialization segments configurations
++ */
++ err = wait_fw_init(dev, FW_PRE_INIT_TIMEOUT_MILI);
++ if (err) {
++ dev_err(&dev->pdev->dev, "Firmware over %d MS in pre-initializing state, aborting\n",
++ FW_PRE_INIT_TIMEOUT_MILI);
++ goto out;
++ }
++
+ err = mlx5_cmd_init(dev);
+ if (err) {
+ dev_err(&pdev->dev, "Failed initializing command interface, aborting\n");
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+Date: Wed, 7 Jun 2017 21:00:33 +0300
+Subject: net: Zero ifla_vf_info in rtnl_fill_vfinfo()
+
+From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
+
+
+[ Upstream commit 0eed9cf58446b28b233388b7f224cbca268b6986 ]
+
+Some of the structure's fields are not initialized by the
+rtnetlink. If driver doesn't set those in ndo_get_vf_config(),
+they'd leak memory to user.
+
+Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
+CC: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Greg Rose <gvrose8192@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1089,6 +1089,8 @@ static noinline_for_stack int rtnl_fill_
+ struct ifla_vf_mac vf_mac;
+ struct ifla_vf_info ivi;
+
++ memset(&ivi, 0, sizeof(ivi));
++
+ /* Not all SR-IOV capable drivers support the
+ * spoofcheck and "RSS query enable" query. Preset to
+ * -1 so the user space tool can detect that the driver
+@@ -1097,7 +1099,6 @@ static noinline_for_stack int rtnl_fill_
+ ivi.spoofchk = -1;
+ ivi.rss_query_en = -1;
+ ivi.trusted = -1;
+- memset(ivi.mac, 0, sizeof(ivi.mac));
+ /* The default value for VF link state is "auto"
+ * IFLA_VF_LINK_STATE_AUTO which equals zero
+ */
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Serhey Popovych <serhe.popovych@gmail.com>
+Date: Tue, 20 Jun 2017 14:35:23 +0300
+Subject: rtnetlink: add IFLA_GROUP to ifla_policy
+
+From: Serhey Popovych <serhe.popovych@gmail.com>
+
+
+[ Upstream commit db833d40ad3263b2ee3b59a1ba168bb3cfed8137 ]
+
+Network interface groups support added while ago, however
+there is no IFLA_GROUP attribute description in policy
+and netlink message size calculations until now.
+
+Add IFLA_GROUP attribute to the policy.
+
+Fixes: cbda10fa97d7 ("net_device: add support for network device groups")
+Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -897,6 +897,7 @@ static noinline size_t if_nlmsg_size(con
+ + nla_total_size(1) /* IFLA_LINKMODE */
+ + nla_total_size(4) /* IFLA_CARRIER_CHANGES */
+ + nla_total_size(4) /* IFLA_LINK_NETNSID */
++ + nla_total_size(4) /* IFLA_GROUP */
+ + nla_total_size(ext_filter_mask
+ & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */
+ + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */
+@@ -1371,6 +1372,7 @@ static const struct nla_policy ifla_poli
+ [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
+ [IFLA_LINK_NETNSID] = { .type = NLA_S32 },
+ [IFLA_PROTO_DOWN] = { .type = NLA_U8 },
++ [IFLA_GROUP] = { .type = NLA_U32 },
+ };
+
+ static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
ipv6-release-dst-on-error-in-ip6_dst_lookup_tail.patch
+net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch
+decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch
+net-zero-ifla_vf_info-in-rtnl_fill_vfinfo.patch
+af_unix-add-sockaddr-length-checks-before-accessing-sa_family-in-bind-and-connect-handlers.patch
+fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch
+net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch
+igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch
+igmp-add-a-missing-spin_lock_init.patch
+ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch
+net-mlx5-wait-for-fw-readiness-before-initializing-command-interface.patch
+decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch
+net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch
+sfc-provide-dummy-definitions-of-vswitch-functions.patch
+ipv6-do-not-leak-throw-route-references.patch
+rtnetlink-add-ifla_group-to-ifla_policy.patch
--- /dev/null
+From foo@baz Thu Jun 29 19:38:17 CEST 2017
+From: Bert Kenward <bkenward@solarflare.com>
+Date: Fri, 16 Jun 2017 09:45:08 +0100
+Subject: sfc: provide dummy definitions of vswitch functions
+
+From: Bert Kenward <bkenward@solarflare.com>
+
+
+efx_probe_all() calls efx->type->vswitching_probe during probe. For
+SFC4000 (Falcon) NICs this function is not defined, leading to a BUG
+with the top of the call stack similar to:
+ ? efx_pci_probe_main+0x29a/0x830
+ efx_pci_probe+0x7d3/0xe70
+
+vswitching_restore and vswitching_remove also need to be defined.
+
+Fixed in mainline by:
+commit 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver")
+
+Fixes: 6d8aaaf6f798 ("sfc: create VEB vswitch and vport above default firmware setup")
+Signed-off-by: Bert Kenward <bkenward@solarflare.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/falcon.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/sfc/falcon.c
++++ b/drivers/net/ethernet/sfc/falcon.c
+@@ -2796,6 +2796,11 @@ const struct efx_nic_type falcon_a1_nic_
+ .timer_period_max = 1 << FRF_AB_TC_TIMER_VAL_WIDTH,
+ .offload_features = NETIF_F_IP_CSUM,
+ .mcdi_max_ver = -1,
++#ifdef CONFIG_SFC_SRIOV
++ .vswitching_probe = efx_port_dummy_op_int,
++ .vswitching_restore = efx_port_dummy_op_int,
++ .vswitching_remove = efx_port_dummy_op_void,
++#endif
+ };
+
+ const struct efx_nic_type falcon_b0_nic_type = {
+@@ -2897,4 +2902,9 @@ const struct efx_nic_type falcon_b0_nic_
+ .offload_features = NETIF_F_IP_CSUM | NETIF_F_RXHASH | NETIF_F_NTUPLE,
+ .mcdi_max_ver = -1,
+ .max_rx_ip_filters = FR_BZ_RX_FILTER_TBL0_ROWS,
++#ifdef CONFIG_SFC_SRIOV
++ .vswitching_probe = efx_port_dummy_op_int,
++ .vswitching_restore = efx_port_dummy_op_int,
++ .vswitching_remove = efx_port_dummy_op_void,
++#endif
+ };
projects / thirdparty / kernel / stable-queue.git / commitdiff
