--- /dev/null
+From b8b784958eccbf8f51ebeee65282ca3fd59ea391 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 3 May 2018 18:26:26 +0200
+Subject: bdi: Fix oops in wb_workfn()
+
+From: Jan Kara <jack@suse.cz>
+
+commit b8b784958eccbf8f51ebeee65282ca3fd59ea391 upstream.
+
+Syzbot has reported that it can hit a NULL pointer dereference in
+wb_workfn() due to wb->bdi->dev being NULL. This indicates that
+wb_workfn() was called for an already unregistered bdi which should not
+happen as wb_shutdown() called from bdi_unregister() should make sure
+all pending writeback works are completed before bdi is unregistered.
+Except that wb_workfn() itself can requeue the work with:
+
+ mod_delayed_work(bdi_wq, &wb->dwork, 0);
+
+and if this happens while wb_shutdown() is waiting in:
+
+ flush_delayed_work(&wb->dwork);
+
+the dwork can get executed after wb_shutdown() has finished and
+bdi_unregister() has cleared wb->bdi->dev.
+
+Make wb_workfn() use wakeup_wb() for requeueing the work which takes all
+the necessary precautions against racing with bdi unregistration.
+
+CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+CC: Tejun Heo <tj@kernel.org>
+Fixes: 839a8e8660b6777e7fe4e80af1a048aebe2b5977
+Reported-by: syzbot <syzbot+9873874c735f2892e7e9@syzkaller.appspotmail.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fs-writeback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -1906,7 +1906,7 @@ void wb_workfn(struct work_struct *work)
+ }
+
+ if (!list_empty(&wb->work_list))
+- mod_delayed_work(bdi_wq, &wb->dwork, 0);
++ wb_wakeup(wb);
+ else if (wb_has_dirty_io(wb) && dirty_writeback_interval)
+ wb_wakeup_delayed(wb);
+
--- /dev/null
+From a466856e0b7ab269cdf9461886d007e88ff575b0 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:36 -0700
+Subject: crypto: af_alg - fix possible uninit-value in alg_bind()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a466856e0b7ab269cdf9461886d007e88ff575b0 upstream.
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162
+
+We need to check addr_len before dereferencing sa (or uaddr)
+
+Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Stephan Mueller <smueller@chronox.de>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -157,16 +157,16 @@ static int alg_bind(struct socket *sock,
+ void *private;
+ int err;
+
+- /* If caller uses non-allowed flag, return error. */
+- if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
+- return -EINVAL;
+-
+ if (sock->state == SS_CONNECTED)
+ return -EINVAL;
+
+ if (addr_len != sizeof(*sa))
+ return -EINVAL;
+
++ /* If caller uses non-allowed flag, return error. */
++ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
++ return -EINVAL;
++
+ sa->salg_type[sizeof(sa->salg_type) - 1] = 0;
+ sa->salg_name[sizeof(sa->salg_name) - 1] = 0;
+
--- /dev/null
+From b855ff827476adbdc2259e9895681d82b7b26065 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:41 -0700
+Subject: dccp: initialize ireq->ir_mark
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit b855ff827476adbdc2259e9895681d82b7b26065 upstream.
+
+syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook()
+
+Thanks to the nice report, I tracked the problem to dccp not caring
+of ireq->ir_mark for passive sessions.
+
+BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
+BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
+CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline]
+ iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84
+ nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
+ nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483
+ nf_hook include/linux/netfilter.h:243 [inline]
+ __ip_local_out net/ipv4/ip_output.c:113 [inline]
+ ip_local_out net/ipv4/ip_output.c:122 [inline]
+ ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504
+ dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
+ dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
+ dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
+ dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x455259
+RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259
+RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015
+RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502
+ dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142
+ dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281
+ dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363
+ dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797
+ dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92
+ dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408
+ dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414
+ dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197
+ dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840
+ ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:449 [inline]
+ ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ process_backlog+0x62d/0xe20 net/core/dev.c:5307
+ napi_poll net/core/dev.c:5705 [inline]
+ net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
+ __do_softirq+0x56d/0x93d kernel/softirq.c:285
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ reqsk_alloc include/net/request_sock.h:88 [inline]
+ inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145
+ dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600
+ dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317
+ dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612
+ dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682
+ dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513
+ dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874
+ ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:449 [inline]
+ ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ process_backlog+0x62d/0xe20 net/core/dev.c:5307
+ napi_poll net/core/dev.c:5705 [inline]
+ net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
+ __do_softirq+0x56d/0x93d kernel/softirq.c:285
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/dccp/ipv4.c | 1 +
+ net/dccp/ipv6.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -618,6 +618,7 @@ int dccp_v4_conn_request(struct sock *sk
+ ireq = inet_rsk(req);
+ sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr);
+ sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr);
++ ireq->ir_mark = inet_request_mark(sk, skb);
+ ireq->ireq_family = AF_INET;
+ ireq->ir_iif = sk->sk_bound_dev_if;
+
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -345,6 +345,7 @@ static int dccp_v6_conn_request(struct s
+ ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
+ ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
+ ireq->ireq_family = AF_INET6;
++ ireq->ir_mark = inet_request_mark(sk, skb);
+
+ if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
+ np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
--- /dev/null
+From b1993a2de12c9e75c35729e2ffbc3a92d50c0d31 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:38 -0700
+Subject: net: fix rtnh_ok()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit b1993a2de12c9e75c35729e2ffbc3a92d50c0d31 upstream.
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in rtnh_ok include/net/nexthop.h:11 [inline]
+BUG: KMSAN: uninit-value in fib_count_nexthops net/ipv4/fib_semantics.c:469 [inline]
+BUG: KMSAN: uninit-value in fib_create_info+0x554/0x8d20 net/ipv4/fib_semantics.c:1091
+
+@remaining is an integer, coming from user space.
+If it is negative we want rtnh_ok() to return false.
+
+Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/nexthop.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/nexthop.h
++++ b/include/net/nexthop.h
+@@ -6,7 +6,7 @@
+
+ static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining)
+ {
+- return remaining >= sizeof(*rtnh) &&
++ return remaining >= (int)sizeof(*rtnh) &&
+ rtnh->rtnh_len >= sizeof(*rtnh) &&
+ rtnh->rtnh_len <= remaining;
+ }
--- /dev/null
+From 77d36398d99f2565c0a8d43a86fd520a82e64bb8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:40 -0700
+Subject: net: fix uninit-value in __hw_addr_add_ex()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 77d36398d99f2565c0a8d43a86fd520a82e64bb8 upstream.
+
+syzbot complained :
+
+BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861
+CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: ipv6_addrconf addrconf_dad_work
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ memcmp+0x119/0x180 lib/string.c:861
+ __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline]
+ __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670
+ dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
+ igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662
+ ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914
+ addrconf_join_solict net/ipv6/addrconf.c:2078 [inline]
+ addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline]
+ addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954
+ process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
+ worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
+ kthread+0x539/0x720 kernel/kthread.c:239
+
+Fixes: f001fde5eadd ("net: introduce a list of device addresses dev_addr_list (v6)")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/dev_addr_lists.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/dev_addr_lists.c
++++ b/net/core/dev_addr_lists.c
+@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netde
+ return -EINVAL;
+
+ list_for_each_entry(ha, &list->list, list) {
+- if (!memcmp(ha->addr, addr, addr_len) &&
+- ha->type == addr_type) {
++ if (ha->type == addr_type &&
++ !memcmp(ha->addr, addr, addr_len)) {
+ if (global) {
+ /* check if addr is already used as global */
+ if (ha->global_use)
--- /dev/null
+From b13dda9f9aa7caceeee61c080c2e544d5f5d85e5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:39 -0700
+Subject: net: initialize skb->peeked when cloning
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit b13dda9f9aa7caceeee61c080c2e544d5f5d85e5 upstream.
+
+syzbot reported __skb_try_recv_from_queue() was using skb->peeked
+while it was potentially unitialized.
+
+We need to clear it in __skb_clone()
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skbuff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -827,6 +827,7 @@ static struct sk_buff *__skb_clone(struc
+ n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
+ n->cloned = 1;
+ n->nohdr = 0;
++ n->peeked = 0;
+ n->destructor = NULL;
+ C(tail);
+ C(end);
--- /dev/null
+From 6091f09c2f79730d895149bcfe3d66140288cd0e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:37 -0700
+Subject: netlink: fix uninit-value in netlink_sendmsg
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6091f09c2f79730d895149bcfe3d66140288cd0e upstream.
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline]
+BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netlink/af_netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1795,6 +1795,8 @@ static int netlink_sendmsg(struct socket
+
+ if (msg->msg_namelen) {
+ err = -EINVAL;
++ if (msg->msg_namelen < sizeof(struct sockaddr_nl))
++ goto out;
+ if (addr->nl_family != AF_NETLINK)
+ goto out;
+ dst_portid = addr->nl_pid;
--- /dev/null
+From bfb3d7b8b906b66551424d7636182126e1d134c8 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Sun, 15 Apr 2018 11:23:52 +0200
+Subject: perf: Remove superfluous allocation error check
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit bfb3d7b8b906b66551424d7636182126e1d134c8 upstream.
+
+If the get_callchain_buffers fails to allocate the buffer it will
+decrease the nr_callchain_events right away.
+
+There's no point of checking the allocation error for
+nr_callchain_events > 1. Removing that check.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: syzkaller-bugs@googlegroups.com
+Cc: x86@kernel.org
+Link: http://lkml.kernel.org/r/20180415092352.12403-3-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/callchain.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/kernel/events/callchain.c
++++ b/kernel/events/callchain.c
+@@ -107,14 +107,8 @@ int get_callchain_buffers(void)
+ goto exit;
+ }
+
+- if (count > 1) {
+- /* If the allocation failed, give up */
+- if (!callchain_cpus_entries)
+- err = -ENOMEM;
+- goto exit;
+- }
+-
+- err = alloc_callchain_buffers();
++ if (count == 1)
++ err = alloc_callchain_buffers();
+ exit:
+ if (err)
+ atomic_dec(&nr_callchain_events);
usb-musb-host-fix-potential-null-pointer-dereference.patch
s390-facilites-use-stfle_fac_list-array-size-for-max_facility_bit.patch
ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thread.patch
+crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch
+netlink-fix-uninit-value-in-netlink_sendmsg.patch
+net-fix-rtnh_ok.patch
+net-initialize-skb-peeked-when-cloning.patch
+net-fix-uninit-value-in-__hw_addr_add_ex.patch
+dccp-initialize-ireq-ir_mark.patch
+soreuseport-initialise-timewait-reuseport-field.patch
+perf-remove-superfluous-allocation-error-check.patch
+tcp-fix-tcp_repair_queue-bound-checking.patch
+bdi-fix-oops-in-wb_workfn.patch
--- /dev/null
+From 3099a52918937ab86ec47038ad80d377ba16c531 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 13:42:43 -0700
+Subject: soreuseport: initialise timewait reuseport field
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 3099a52918937ab86ec47038ad80d377ba16c531 upstream.
+
+syzbot reported an uninit-value in inet_csk_bind_conflict() [1]
+
+It turns out we never propagated sk->sk_reuseport into timewait socket.
+
+[1]
+BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
+CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
+ inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320
+ inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399
+ SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
+ SyS_bind+0x54/0x80 net/socket.c:1460
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x4416e9
+RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031
+RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9
+RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004
+RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08
+R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478
+R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
+ inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182
+ tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163
+ tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
+ tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
+ tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
+ inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
+ inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
+ sock_release net/socket.c:595 [inline]
+ sock_close+0xe0/0x300 net/socket.c:1149
+ __fput+0x49e/0xa10 fs/file_table.c:209
+ ____fput+0x37/0x40 fs/file_table.c:243
+ task_work_run+0x243/0x2c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x10e1/0x38d0 kernel/exit.c:867
+ do_group_exit+0x1a0/0x360 kernel/exit.c:970
+ SYSC_exit_group+0x21/0x30 kernel/exit.c:981
+ SyS_exit_group+0x25/0x30 kernel/exit.c:979
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: da5e36308d9f ("soreuseport: TCP/IPv4 implementation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/inet_timewait_sock.h | 1 +
+ net/ipv4/inet_timewait_sock.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/include/net/inet_timewait_sock.h
++++ b/include/net/inet_timewait_sock.h
+@@ -55,6 +55,7 @@ struct inet_timewait_sock {
+ #define tw_family __tw_common.skc_family
+ #define tw_state __tw_common.skc_state
+ #define tw_reuse __tw_common.skc_reuse
++#define tw_reuseport __tw_common.skc_reuseport
+ #define tw_ipv6only __tw_common.skc_ipv6only
+ #define tw_bound_dev_if __tw_common.skc_bound_dev_if
+ #define tw_node __tw_common.skc_nulls_node
+--- a/net/ipv4/inet_timewait_sock.c
++++ b/net/ipv4/inet_timewait_sock.c
+@@ -182,6 +182,7 @@ struct inet_timewait_sock *inet_twsk_all
+ tw->tw_dport = inet->inet_dport;
+ tw->tw_family = sk->sk_family;
+ tw->tw_reuse = sk->sk_reuse;
++ tw->tw_reuseport = sk->sk_reuseport;
+ tw->tw_hash = sk->sk_hash;
+ tw->tw_ipv6only = 0;
+ tw->tw_transparent = inet->transparent;
--- /dev/null
+From bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 29 Apr 2018 18:55:20 -0700
+Subject: tcp: fix TCP_REPAIR_QUEUE bound checking
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9 upstream.
+
+syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out()
+with following C-repro :
+
+socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
+setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
+setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
+bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
+sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
+ 1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242
+setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0
+writev(3, [{"\270", 1}], 1) = 1
+setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0
+writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144
+
+The 3rd system call looks odd :
+setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
+
+This patch makes sure bound checking is using an unsigned compare.
+
+Fixes: ee9952831cfd ("tcp: Initial repair mode")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2450,7 +2450,7 @@ static int do_tcp_setsockopt(struct sock
+ case TCP_REPAIR_QUEUE:
+ if (!tp->repair)
+ err = -EPERM;
+- else if (val < TCP_QUEUES_NR)
++ else if ((unsigned int)val < TCP_QUEUES_NR)
+ tp->repair_queue = val;
+ else
+ err = -EINVAL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
