--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 6 May 2017 03:49:01 +0300
+Subject: bnxt_en: allocate enough space for ->ntp_fltr_bmap
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit ac45bd93a5035c2f39c9862b8b6ed692db0fdc87 ]
+
+We have the number of longs, but we need to calculate the number of
+bytes required.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -2867,7 +2867,8 @@ static int bnxt_alloc_ntp_fltrs(struct b
+ INIT_HLIST_HEAD(&bp->ntp_fltr_hash_tbl[i]);
+
+ bp->ntp_fltr_count = 0;
+- bp->ntp_fltr_bmap = kzalloc(BITS_TO_LONGS(BNXT_NTP_FLTR_MAX_FLTR),
++ bp->ntp_fltr_bmap = kcalloc(BITS_TO_LONGS(BNXT_NTP_FLTR_MAX_FLTR),
++ sizeof(long),
+ GFP_KERNEL);
+
+ if (!bp->ntp_fltr_bmap)
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Tue, 2 May 2017 20:34:54 +0200
+Subject: bpf, arm64: fix jit branch offset related to ldimm64
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+
+[ Upstream commit ddc665a4bb4b728b4e6ecec8db1b64efa9184b9c ]
+
+When the instruction right before the branch destination is
+a 64 bit load immediate, we currently calculate the wrong
+jump offset in the ctx->offset[] array as we only account
+one instruction slot for the 64 bit load immediate although
+it uses two BPF instructions. Fix it up by setting the offset
+into the right slot after we incremented the index.
+
+Before (ldimm64 test 1):
+
+ [...]
+ 00000020: 52800007 mov w7, #0x0 // #0
+ 00000024: d2800060 mov x0, #0x3 // #3
+ 00000028: d2800041 mov x1, #0x2 // #2
+ 0000002c: eb01001f cmp x0, x1
+ 00000030: 54ffff82 b.cs 0x00000020
+ 00000034: d29fffe7 mov x7, #0xffff // #65535
+ 00000038: f2bfffe7 movk x7, #0xffff, lsl #16
+ 0000003c: f2dfffe7 movk x7, #0xffff, lsl #32
+ 00000040: f2ffffe7 movk x7, #0xffff, lsl #48
+ 00000044: d29dddc7 mov x7, #0xeeee // #61166
+ 00000048: f2bdddc7 movk x7, #0xeeee, lsl #16
+ 0000004c: f2ddddc7 movk x7, #0xeeee, lsl #32
+ 00000050: f2fdddc7 movk x7, #0xeeee, lsl #48
+ [...]
+
+After (ldimm64 test 1):
+
+ [...]
+ 00000020: 52800007 mov w7, #0x0 // #0
+ 00000024: d2800060 mov x0, #0x3 // #3
+ 00000028: d2800041 mov x1, #0x2 // #2
+ 0000002c: eb01001f cmp x0, x1
+ 00000030: 540000a2 b.cs 0x00000044
+ 00000034: d29fffe7 mov x7, #0xffff // #65535
+ 00000038: f2bfffe7 movk x7, #0xffff, lsl #16
+ 0000003c: f2dfffe7 movk x7, #0xffff, lsl #32
+ 00000040: f2ffffe7 movk x7, #0xffff, lsl #48
+ 00000044: d29dddc7 mov x7, #0xeeee // #61166
+ 00000048: f2bdddc7 movk x7, #0xeeee, lsl #16
+ 0000004c: f2ddddc7 movk x7, #0xeeee, lsl #32
+ 00000050: f2fdddc7 movk x7, #0xeeee, lsl #48
+ [...]
+
+Also, add a couple of test cases to make sure JITs pass
+this test. Tested on Cavium ThunderX ARMv8. The added
+test cases all pass after the fix.
+
+Fixes: 8eee539ddea0 ("arm64: bpf: fix out-of-bounds read in bpf2a64_offset()")
+Reported-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/net/bpf_jit_comp.c | 8 +++----
+ lib/test_bpf.c | 45 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 49 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -779,14 +779,14 @@ static int build_body(struct jit_ctx *ct
+ int ret;
+
+ ret = build_insn(insn, ctx);
+-
+- if (ctx->image == NULL)
+- ctx->offset[i] = ctx->idx;
+-
+ if (ret > 0) {
+ i++;
++ if (ctx->image == NULL)
++ ctx->offset[i] = ctx->idx;
+ continue;
+ }
++ if (ctx->image == NULL)
++ ctx->offset[i] = ctx->idx;
+ if (ret)
+ return ret;
+ }
+--- a/lib/test_bpf.c
++++ b/lib/test_bpf.c
+@@ -4656,6 +4656,51 @@ static struct bpf_test tests[] = {
+ { },
+ { { 0, 1 } },
+ },
++ {
++ /* Mainly testing JIT + imm64 here. */
++ "JMP_JGE_X: ldimm64 test 1",
++ .u.insns_int = {
++ BPF_ALU32_IMM(BPF_MOV, R0, 0),
++ BPF_LD_IMM64(R1, 3),
++ BPF_LD_IMM64(R2, 2),
++ BPF_JMP_REG(BPF_JGE, R1, R2, 2),
++ BPF_LD_IMM64(R0, 0xffffffffffffffffUL),
++ BPF_LD_IMM64(R0, 0xeeeeeeeeeeeeeeeeUL),
++ BPF_EXIT_INSN(),
++ },
++ INTERNAL,
++ { },
++ { { 0, 0xeeeeeeeeU } },
++ },
++ {
++ "JMP_JGE_X: ldimm64 test 2",
++ .u.insns_int = {
++ BPF_ALU32_IMM(BPF_MOV, R0, 0),
++ BPF_LD_IMM64(R1, 3),
++ BPF_LD_IMM64(R2, 2),
++ BPF_JMP_REG(BPF_JGE, R1, R2, 0),
++ BPF_LD_IMM64(R0, 0xffffffffffffffffUL),
++ BPF_EXIT_INSN(),
++ },
++ INTERNAL,
++ { },
++ { { 0, 0xffffffffU } },
++ },
++ {
++ "JMP_JGE_X: ldimm64 test 3",
++ .u.insns_int = {
++ BPF_ALU32_IMM(BPF_MOV, R0, 1),
++ BPF_LD_IMM64(R1, 3),
++ BPF_LD_IMM64(R2, 2),
++ BPF_JMP_REG(BPF_JGE, R1, R2, 4),
++ BPF_LD_IMM64(R0, 0xffffffffffffffffUL),
++ BPF_LD_IMM64(R0, 0xeeeeeeeeeeeeeeeeUL),
++ BPF_EXIT_INSN(),
++ },
++ INTERNAL,
++ { },
++ { { 0, 1 } },
++ },
+ /* BPF_JMP | BPF_JNE | BPF_X */
+ {
+ "JMP_JNE_X: if (3 != 2) return 1",
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Mon, 8 May 2017 00:04:09 +0200
+Subject: bpf: don't let ldimm64 leak map addresses on unprivileged
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+
+[ Upstream commit 0d0e57697f162da4aa218b5feafe614fb666db07 ]
+
+The patch fixes two things at once:
+
+1) It checks the env->allow_ptr_leaks and only prints the map address to
+ the log if we have the privileges to do so, otherwise it just dumps 0
+ as we would when kptr_restrict is enabled on %pK. Given the latter is
+ off by default and not every distro sets it, I don't want to rely on
+ this, hence the 0 by default for unprivileged.
+
+2) Printing of ldimm64 in the verifier log is currently broken in that
+ we don't print the full immediate, but only the 32 bit part of the
+ first insn part for ldimm64. Thus, fix this up as well; it's okay to
+ access, since we verified all ldimm64 earlier already (including just
+ constants) through replace_map_fd_with_map_ptr().
+
+Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
+Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -279,7 +279,8 @@ static const char *const bpf_jmp_string[
+ [BPF_EXIT >> 4] = "exit",
+ };
+
+-static void print_bpf_insn(struct bpf_insn *insn)
++static void print_bpf_insn(const struct bpf_verifier_env *env,
++ const struct bpf_insn *insn)
+ {
+ u8 class = BPF_CLASS(insn->code);
+
+@@ -343,9 +344,19 @@ static void print_bpf_insn(struct bpf_in
+ insn->code,
+ bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
+ insn->src_reg, insn->imm);
+- } else if (BPF_MODE(insn->code) == BPF_IMM) {
+- verbose("(%02x) r%d = 0x%x\n",
+- insn->code, insn->dst_reg, insn->imm);
++ } else if (BPF_MODE(insn->code) == BPF_IMM &&
++ BPF_SIZE(insn->code) == BPF_DW) {
++ /* At this point, we already made sure that the second
++ * part of the ldimm64 insn is accessible.
++ */
++ u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
++ bool map_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD;
++
++ if (map_ptr && !env->allow_ptr_leaks)
++ imm = 0;
++
++ verbose("(%02x) r%d = 0x%llx\n", insn->code,
++ insn->dst_reg, (unsigned long long)imm);
+ } else {
+ verbose("BUG_ld_%02x\n", insn->code);
+ return;
+@@ -2674,7 +2685,7 @@ static int do_check(struct bpf_verifier_
+
+ if (log_level) {
+ verbose("%d: ", insn_idx);
+- print_bpf_insn(insn);
++ print_bpf_insn(env, insn);
+ }
+
+ err = ext_analyzer_insn_hook(env, insn_idx, prev_insn_idx);
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Yonghong Song <yhs@fb.com>
+Date: Sat, 29 Apr 2017 22:52:42 -0700
+Subject: bpf: enhance verifier to understand stack pointer arithmetic
+
+From: Yonghong Song <yhs@fb.com>
+
+
+[ Upstream commit 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 ]
+
+llvm 4.0 and above generates the code like below:
+....
+440: (b7) r1 = 15
+441: (05) goto pc+73
+515: (79) r6 = *(u64 *)(r10 -152)
+516: (bf) r7 = r10
+517: (07) r7 += -112
+518: (bf) r2 = r7
+519: (0f) r2 += r1
+520: (71) r1 = *(u8 *)(r8 +0)
+521: (73) *(u8 *)(r2 +45) = r1
+....
+and the verifier complains "R2 invalid mem access 'inv'" for insn #521.
+This is because verifier marks register r2 as unknown value after #519
+where r2 is a stack pointer and r1 holds a constant value.
+
+Teach verifier to recognize "stack_ptr + imm" and
+"stack_ptr + reg with const val" as valid stack_ptr with new offset.
+
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 11 +++++++++++
+ samples/bpf/test_verifier.c | 18 ++++++++++++------
+ 2 files changed, 23 insertions(+), 6 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1749,6 +1749,17 @@ static int check_alu_op(struct bpf_verif
+ return 0;
+ } else if (opcode == BPF_ADD &&
+ BPF_CLASS(insn->code) == BPF_ALU64 &&
++ dst_reg->type == PTR_TO_STACK &&
++ ((BPF_SRC(insn->code) == BPF_X &&
++ regs[insn->src_reg].type == CONST_IMM) ||
++ BPF_SRC(insn->code) == BPF_K)) {
++ if (BPF_SRC(insn->code) == BPF_X)
++ dst_reg->imm += regs[insn->src_reg].imm;
++ else
++ dst_reg->imm += insn->imm;
++ return 0;
++ } else if (opcode == BPF_ADD &&
++ BPF_CLASS(insn->code) == BPF_ALU64 &&
+ (dst_reg->type == PTR_TO_PACKET ||
+ (BPF_SRC(insn->code) == BPF_X &&
+ regs[insn->src_reg].type == PTR_TO_PACKET))) {
+--- a/samples/bpf/test_verifier.c
++++ b/samples/bpf/test_verifier.c
+@@ -1218,16 +1218,22 @@ static struct bpf_test tests[] = {
+ .result = ACCEPT,
+ },
+ {
+- "unpriv: obfuscate stack pointer",
++ "stack pointer arithmetic",
+ .insns = {
+- BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+- BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+- BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
++ BPF_MOV64_IMM(BPF_REG_1, 4),
++ BPF_JMP_IMM(BPF_JA, 0, 0, 0),
++ BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
++ BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
++ BPF_ST_MEM(0, BPF_REG_2, 4, 0),
++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
++ BPF_ST_MEM(0, BPF_REG_2, 4, 0),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .errstr_unpriv = "R2 pointer arithmetic",
+- .result_unpriv = REJECT,
+ .result = ACCEPT,
+ },
+ {
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Wed, 3 May 2017 17:06:58 +0200
+Subject: ipv4, ipv6: ensure raw socket message is big enough to hold an IP header
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit 86f4c90a1c5c1493f07f2d12c1079f5bf01936f2 ]
+
+raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied
+from the userspace contains the IPv4/IPv6 header, so if too few bytes are
+copied, parts of the header may remain uninitialized.
+
+This bug has been detected with KMSAN.
+
+For the record, the KMSAN report:
+
+==================================================================
+BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0
+inter: 0
+CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x143/0x1b0 lib/dump_stack.c:52
+ kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
+ __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
+ nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577
+ ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
+ nf_hook_entry_hookfn ./include/linux/netfilter.h:102
+ nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310
+ nf_hook ./include/linux/netfilter.h:212
+ NF_HOOK ./include/linux/netfilter.h:255
+ rawv6_send_hdrinc net/ipv6/raw.c:673
+ rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919
+ inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633
+ sock_sendmsg net/socket.c:643
+ SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
+ SyS_sendto+0xbc/0xe0 net/socket.c:1664
+ do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
+ entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
+RIP: 0033:0x436e03
+RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000
+origin: 00000000d9400053
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362
+ kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
+ kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
+ slab_alloc_node mm/slub.c:2735
+ __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
+ __kmalloc_reserve net/core/skbuff.c:138
+ __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
+ alloc_skb ./include/linux/skbuff.h:933
+ alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
+ sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
+ sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
+ rawv6_send_hdrinc net/ipv6/raw.c:638
+ rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919
+ inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633
+ sock_sendmsg net/socket.c:643
+ SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
+ SyS_sendto+0xbc/0xe0 net/socket.c:1664
+ do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
+ return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
+==================================================================
+
+, triggered by the following syscalls:
+ socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
+ sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM
+
+A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket
+instead of a PF_INET6 one.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/raw.c | 3 +++
+ net/ipv6/raw.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -356,6 +356,9 @@ static int raw_send_hdrinc(struct sock *
+ rt->dst.dev->mtu);
+ return -EMSGSIZE;
+ }
++ if (length < sizeof(struct iphdr))
++ return -EINVAL;
++
+ if (flags&MSG_PROBE)
+ goto out;
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -630,6 +630,8 @@ static int rawv6_send_hdrinc(struct sock
+ ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu);
+ return -EMSGSIZE;
+ }
++ if (length < sizeof(struct ipv6hdr))
++ return -EINVAL;
+ if (flags&MSG_PROBE)
+ goto out;
+
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed, 3 May 2017 22:07:31 -0700
+Subject: ipv6: initialize route null entry in addrconf_init()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 2f460933f58eee3393aba64f0f6d14acb08d1724 ]
+
+Andrey reported a crash on init_net.ipv6.ip6_null_entry->rt6i_idev
+since it is always NULL.
+
+This is clearly wrong, we have code to initialize it to loopback_dev,
+unfortunately the order is still not correct.
+
+loopback_dev is registered very early during boot, we lose a chance
+to re-initialize it in notifier. addrconf_init() is called after
+ip6_route_init(), which means we have no chance to correct it.
+
+Fix it by moving this initialization explicitly after
+ipv6_add_dev(init_net.loopback_dev) in addrconf_init().
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip6_route.h | 1 +
+ net/ipv6/addrconf.c | 2 ++
+ net/ipv6/route.c | 26 +++++++++++++++-----------
+ 3 files changed, 18 insertions(+), 11 deletions(-)
+
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -84,6 +84,7 @@ struct dst_entry *ip6_route_lookup(struc
+ struct rt6_info *ip6_pol_route(struct net *net, struct fib6_table *table,
+ int ifindex, struct flowi6 *fl6, int flags);
+
++void ip6_route_init_special_entries(void);
+ int ip6_route_init(void);
+ void ip6_route_cleanup(void);
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -6264,6 +6264,8 @@ int __init addrconf_init(void)
+ goto errlo;
+ }
+
++ ip6_route_init_special_entries();
++
+ for (i = 0; i < IN6_ADDR_HSIZE; i++)
+ INIT_HLIST_HEAD(&inet6_addr_lst[i]);
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3798,6 +3798,21 @@ static struct notifier_block ip6_route_d
+ .priority = 0,
+ };
+
++void __init ip6_route_init_special_entries(void)
++{
++ /* Registering of the loopback is done before this portion of code,
++ * the loopback reference in rt6_info will not be taken, do it
++ * manually for init_net */
++ init_net.ipv6.ip6_null_entry->dst.dev = init_net.loopback_dev;
++ init_net.ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
++ #ifdef CONFIG_IPV6_MULTIPLE_TABLES
++ init_net.ipv6.ip6_prohibit_entry->dst.dev = init_net.loopback_dev;
++ init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
++ init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
++ init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
++ #endif
++}
++
+ int __init ip6_route_init(void)
+ {
+ int ret;
+@@ -3824,17 +3839,6 @@ int __init ip6_route_init(void)
+
+ ip6_dst_blackhole_ops.kmem_cachep = ip6_dst_ops_template.kmem_cachep;
+
+- /* Registering of the loopback is done before this portion of code,
+- * the loopback reference in rt6_info will not be taken, do it
+- * manually for init_net */
+- init_net.ipv6.ip6_null_entry->dst.dev = init_net.loopback_dev;
+- init_net.ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
+- #ifdef CONFIG_IPV6_MULTIPLE_TABLES
+- init_net.ipv6.ip6_prohibit_entry->dst.dev = init_net.loopback_dev;
+- init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
+- init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
+- init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
+- #endif
+ ret = fib6_init();
+ if (ret)
+ goto out_register_subsys;
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 8 May 2017 10:12:13 -0700
+Subject: ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 242d3a49a2a1a71d8eb9f953db1bcaa9d698ce00 ]
+
+For each netns (except init_net), we initialize its null entry
+in 3 places:
+
+1) The template itself, as we use kmemdup()
+2) Code around dst_init_metrics() in ip6_route_net_init()
+3) ip6_route_dev_notify(), which is supposed to initialize it after
+ loopback registers
+
+Unfortunately the last one still happens in a wrong order because
+we expect to initialize net->ipv6.ip6_null_entry->rt6i_idev to
+net->loopback_dev's idev, thus we have to do that after we add
+idev to loopback. However, this notifier has priority == 0 same as
+ipv6_dev_notf, and ipv6_dev_notf is registered after
+ip6_route_dev_notifier so it is called actually after
+ip6_route_dev_notifier. This is similar to commit 2f460933f58e
+("ipv6: initialize route null entry in addrconf_init()") which
+fixes init_net.
+
+Fix it by picking a smaller priority for ip6_route_dev_notifier.
+Also, we have to release the refcnt accordingly when unregistering
+loopback_dev because device exit functions are called before subsys
+exit functions.
+
+Acked-by: David Ahern <dsahern@gmail.com>
+Tested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/addrconf.h | 2 ++
+ net/ipv6/addrconf.c | 1 +
+ net/ipv6/route.c | 13 +++++++++++--
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/include/net/addrconf.h
++++ b/include/net/addrconf.h
+@@ -20,6 +20,8 @@
+ #define ADDRCONF_TIMER_FUZZ (HZ / 4)
+ #define ADDRCONF_TIMER_FUZZ_MAX (HZ)
+
++#define ADDRCONF_NOTIFY_PRIORITY 0
++
+ #include <linux/in.h>
+ #include <linux/in6.h>
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3492,6 +3492,7 @@ static int addrconf_notify(struct notifi
+ */
+ static struct notifier_block ipv6_dev_notf = {
+ .notifier_call = addrconf_notify,
++ .priority = ADDRCONF_NOTIFY_PRIORITY,
+ };
+
+ static void addrconf_type_change(struct net_device *dev, unsigned long event)
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3480,7 +3480,10 @@ static int ip6_route_dev_notify(struct n
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct net *net = dev_net(dev);
+
+- if (event == NETDEV_REGISTER && (dev->flags & IFF_LOOPBACK)) {
++ if (!(dev->flags & IFF_LOOPBACK))
++ return NOTIFY_OK;
++
++ if (event == NETDEV_REGISTER) {
+ net->ipv6.ip6_null_entry->dst.dev = dev;
+ net->ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(dev);
+ #ifdef CONFIG_IPV6_MULTIPLE_TABLES
+@@ -3489,6 +3492,12 @@ static int ip6_route_dev_notify(struct n
+ net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
+ net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
+ #endif
++ } else if (event == NETDEV_UNREGISTER) {
++ in6_dev_put(net->ipv6.ip6_null_entry->rt6i_idev);
++#ifdef CONFIG_IPV6_MULTIPLE_TABLES
++ in6_dev_put(net->ipv6.ip6_prohibit_entry->rt6i_idev);
++ in6_dev_put(net->ipv6.ip6_blk_hole_entry->rt6i_idev);
++#endif
+ }
+
+ return NOTIFY_OK;
+@@ -3795,7 +3804,7 @@ static struct pernet_operations ip6_rout
+
+ static struct notifier_block ip6_route_dev_notifier = {
+ .notifier_call = ip6_route_dev_notify,
+- .priority = 0,
++ .priority = ADDRCONF_NOTIFY_PRIORITY - 10,
+ };
+
+ void __init ip6_route_init_special_entries(void)
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 25 Apr 2017 19:08:18 +0200
+Subject: macsec: dynamically allocate space for sglist
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+
+[ Upstream commit 5294b83086cc1c35b4efeca03644cf9d12282e5b ]
+
+We call skb_cow_data, which is good anyway to ensure we can actually
+modify the skb as such (another error from prior). Now that we have the
+number of fragments required, we can safely allocate exactly that amount
+of memory.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Acked-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -617,7 +617,8 @@ static void macsec_encrypt_done(struct c
+
+ static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm,
+ unsigned char **iv,
+- struct scatterlist **sg)
++ struct scatterlist **sg,
++ int num_frags)
+ {
+ size_t size, iv_offset, sg_offset;
+ struct aead_request *req;
+@@ -629,7 +630,7 @@ static struct aead_request *macsec_alloc
+
+ size = ALIGN(size, __alignof__(struct scatterlist));
+ sg_offset = size;
+- size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
++ size += sizeof(struct scatterlist) * num_frags;
+
+ tmp = kmalloc(size, GFP_ATOMIC);
+ if (!tmp)
+@@ -649,6 +650,7 @@ static struct sk_buff *macsec_encrypt(st
+ {
+ int ret;
+ struct scatterlist *sg;
++ struct sk_buff *trailer;
+ unsigned char *iv;
+ struct ethhdr *eth;
+ struct macsec_eth_header *hh;
+@@ -723,7 +725,14 @@ static struct sk_buff *macsec_encrypt(st
+ return ERR_PTR(-EINVAL);
+ }
+
+- req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg);
++ ret = skb_cow_data(skb, 0, &trailer);
++ if (unlikely(ret < 0)) {
++ macsec_txsa_put(tx_sa);
++ kfree_skb(skb);
++ return ERR_PTR(ret);
++ }
++
++ req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret);
+ if (!req) {
+ macsec_txsa_put(tx_sa);
+ kfree_skb(skb);
+@@ -732,7 +741,7 @@ static struct sk_buff *macsec_encrypt(st
+
+ macsec_fill_iv(iv, secy->sci, pn);
+
+- sg_init_table(sg, MAX_SKB_FRAGS + 1);
++ sg_init_table(sg, ret);
+ skb_to_sgvec(skb, sg, 0, skb->len);
+
+ if (tx_sc->encrypt) {
+@@ -914,6 +923,7 @@ static struct sk_buff *macsec_decrypt(st
+ {
+ int ret;
+ struct scatterlist *sg;
++ struct sk_buff *trailer;
+ unsigned char *iv;
+ struct aead_request *req;
+ struct macsec_eth_header *hdr;
+@@ -924,7 +934,12 @@ static struct sk_buff *macsec_decrypt(st
+ if (!skb)
+ return ERR_PTR(-ENOMEM);
+
+- req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg);
++ ret = skb_cow_data(skb, 0, &trailer);
++ if (unlikely(ret < 0)) {
++ kfree_skb(skb);
++ return ERR_PTR(ret);
++ }
++ req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret);
+ if (!req) {
+ kfree_skb(skb);
+ return ERR_PTR(-ENOMEM);
+@@ -933,7 +948,7 @@ static struct sk_buff *macsec_decrypt(st
+ hdr = (struct macsec_eth_header *)skb->data;
+ macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
+
+- sg_init_table(sg, MAX_SKB_FRAGS + 1);
++ sg_init_table(sg, ret);
+ skb_to_sgvec(skb, sg, 0, skb->len);
+
+ if (hdr->tci_an & MACSEC_TCI_E) {
+@@ -2709,7 +2724,7 @@ static netdev_tx_t macsec_start_xmit(str
+ }
+
+ #define MACSEC_FEATURES \
+- (NETIF_F_SG | NETIF_F_HIGHDMA)
++ (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
+ static struct lock_class_key macsec_netdev_addr_lock_key;
+
+ static int macsec_dev_init(struct net_device *dev)
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 26 Apr 2017 09:07:46 -0700
+Subject: net: adjust skb->truesize in ___pskb_trim()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit c21b48cc1bbf2f5af3ef54ada559f7fadf8b508b ]
+
+Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in
+skb_try_coalesce() using syzkaller and a filter attached to a TCP
+socket.
+
+As we did recently in commit 158f323b9868 ("net: adjust skb->truesize in
+pskb_expand_head()") we can adjust skb->truesize from ___pskb_trim(),
+via a call to skb_condense().
+
+If all frags were freed, then skb->truesize can be recomputed.
+
+This call can be done if skb is not yet owned, or destructor is
+sock_edemux().
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -1572,6 +1572,8 @@ done:
+ skb_set_tail_pointer(skb, len);
+ }
+
++ if (!skb->sk || skb->destructor == sock_edemux)
++ skb_condense(skb);
+ return 0;
+ }
+ EXPORT_SYMBOL(___pskb_trim);
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 2 May 2017 14:43:44 -0700
+Subject: net: ipv6: Do not duplicate DAD on link up
+
+From: David Ahern <dsahern@gmail.com>
+
+
+[ Upstream commit 6d717134a1a6e1b34a7d0d70e953037bc2642046 ]
+
+Andrey reported a warning triggered by the rcu code:
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 5911 at lib/debugobjects.c:289
+debug_print_object+0x175/0x210
+ODEBUG: activate active (active state 1) object type: rcu_head hint:
+ (null)
+Modules linked in:
+CPU: 1 PID: 5911 Comm: a.out Not tainted 4.11.0-rc8+ #271
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x192/0x22d lib/dump_stack.c:52
+ __warn+0x19f/0x1e0 kernel/panic.c:549
+ warn_slowpath_fmt+0xe0/0x120 kernel/panic.c:564
+ debug_print_object+0x175/0x210 lib/debugobjects.c:286
+ debug_object_activate+0x574/0x7e0 lib/debugobjects.c:442
+ debug_rcu_head_queue kernel/rcu/rcu.h:75
+ __call_rcu.constprop.76+0xff/0x9c0 kernel/rcu/tree.c:3229
+ call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:3288
+ rt6_rcu_free net/ipv6/ip6_fib.c:158
+ rt6_release+0x1ea/0x290 net/ipv6/ip6_fib.c:188
+ fib6_del_route net/ipv6/ip6_fib.c:1461
+ fib6_del+0xa42/0xdc0 net/ipv6/ip6_fib.c:1500
+ __ip6_del_rt+0x100/0x160 net/ipv6/route.c:2174
+ ip6_del_rt+0x140/0x1b0 net/ipv6/route.c:2187
+ __ipv6_ifa_notify+0x269/0x780 net/ipv6/addrconf.c:5520
+ addrconf_ifdown+0xe60/0x1a20 net/ipv6/addrconf.c:3672
+...
+
+Andrey's reproducer program runs in a very tight loop, calling
+'unshare -n' and then spawning 2 sets of 14 threads running random ioctl
+calls. The relevant networking sequence:
+
+1. New network namespace created via unshare -n
+- ip6tnl0 device is created in down state
+
+2. address added to ip6tnl0
+- equivalent to ip -6 addr add dev ip6tnl0 fd00::bb/1
+- DAD is started on the address and when it completes the host
+ route is inserted into the FIB
+
+3. ip6tnl0 is brought up
+- the new fixup_permanent_addr function restarts DAD on the address
+
+4. exit namespace
+- teardown / cleanup sequence starts
+- once in a blue moon, lo teardown appears to happen BEFORE teardown
+ of ip6tunl0
+ + down on 'lo' removes the host route from the FIB since the dst->dev
+ for the route is loobback
+ + host route added to rcu callback list
+ * rcu callback has not run yet, so rt is NOT on the gc list so it has
+ NOT been marked obsolete
+
+5. in parallel to 4. worker_thread runs addrconf_dad_completed
+- DAD on the address on ip6tnl0 completes
+- calls ipv6_ifa_notify which inserts the host route
+
+All of that happens very quickly. The result is that a host route that
+has been deleted from the IPv6 FIB and added to the RCU list is re-inserted
+into the FIB.
+
+The exit namespace eventually gets to cleaning up ip6tnl0 which removes the
+host route from the FIB again, calls the rcu function for cleanup -- and
+triggers the double rcu trace.
+
+The root cause is duplicate DAD on the address -- steps 2 and 3. Arguably,
+DAD should not be started in step 2. The interface is in the down state,
+so it can not really send out requests for the address which makes starting
+DAD pointless.
+
+Since the second DAD was introduced by a recent change, seems appropriate
+to use it for the Fixes tag and have the fixup function only start DAD for
+addresses in the PREDAD state which occurs in addrconf_ifdown if the
+address is retained.
+
+Big thanks to Andrey for isolating a reliable reproducer for this problem.
+Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3278,7 +3278,8 @@ static int fixup_permanent_addr(struct i
+ idev->dev, 0, 0);
+ }
+
+- addrconf_dad_start(ifp);
++ if (ifp->state == INET6_IFADDR_STATE_PREDAD)
++ addrconf_dad_start(ifp);
+
+ return 0;
+ }
+@@ -3627,7 +3628,7 @@ restart:
+ if (keep) {
+ /* set state to skip the notifier below */
+ state = INET6_IFADDR_STATE_DEAD;
+- ifa->state = 0;
++ ifa->state = INET6_IFADDR_STATE_PREDAD;
+ if (!(ifa->flags & IFA_F_NODAD))
+ ifa->flags |= IFA_F_TENTATIVE;
+
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Jon Mason <jon.mason@broadcom.com>
+Date: Mon, 8 May 2017 17:48:35 -0400
+Subject: net: mdio-mux: bcm-iproc: call mdiobus_free() in error path
+
+From: Jon Mason <jon.mason@broadcom.com>
+
+
+[ Upstream commit 922c60e89d52730050c6ccca218bff40cc8bcd8e ]
+
+If an error is encountered in mdio_mux_init(), the error path will call
+mdiobus_free(). Since mdiobus_register() has been called prior to
+mdio_mux_init(), the bus->state will not be MDIOBUS_UNREGISTERED. This
+causes a BUG_ON() in mdiobus_free(). To correct this issue, add an
+error path for mdio_mux_init() which calls mdiobus_unregister() prior to
+mdiobus_free().
+
+Signed-off-by: Jon Mason <jon.mason@broadcom.com>
+Fixes: 98bc865a1ec8 ("net: mdio-mux: Add MDIO mux driver for iProc SoCs")
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-mux-bcm-iproc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/mdio-mux-bcm-iproc.c
++++ b/drivers/net/phy/mdio-mux-bcm-iproc.c
+@@ -203,11 +203,14 @@ static int mdio_mux_iproc_probe(struct p
+ &md->mux_handle, md, md->mii_bus);
+ if (rc) {
+ dev_info(md->dev, "mdiomux initialization failed\n");
+- goto out;
++ goto out_register;
+ }
+
+ dev_info(md->dev, "iProc mdiomux registered\n");
+ return 0;
++
++out_register:
++ mdiobus_unregister(bus);
+ out:
+ mdiobus_free(bus);
+ return rc;
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Wed, 3 May 2017 10:30:11 +0200
+Subject: net: usb: qmi_wwan: add Telit ME910 support
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+
+[ Upstream commit 4c54dc0277d0d55a9248c43aebd31858f926a056 ]
+
+This patch adds support for Telit ME910 PID 0x1100.
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -902,6 +902,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */
++ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
+ {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Thu, 4 May 2017 16:48:58 +0200
+Subject: rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 77ef033b687c3e030017c94a29bf6ea3aaaef678 ]
+
+IFLA_PHYS_PORT_NAME is a string attribute, so terminate it with \0.
+Otherwise libnl3 fails to validate netlink messages with this attribute.
+"ip -detail a" assumes too that the attribute is NUL-terminated when
+printing it. It often was, due to padding.
+
+I noticed this as libvirtd failing to start on a system with sfc driver
+after upgrading it to Linux 4.11, i.e. when sfc added support for
+phys_port_name.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1059,7 +1059,7 @@ static int rtnl_phys_port_name_fill(stru
+ return err;
+ }
+
+- if (nla_put(skb, IFLA_PHYS_PORT_NAME, strlen(name), name))
++ if (nla_put_string(skb, IFLA_PHYS_PORT_NAME, name))
+ return -EMSGSIZE;
+
+ return 0;
staging-lustre-mdc-make-it_open-take-lookup-bits-lock.patch
alsa-hda-fix-deadlock-of-controller-device-lock-at-unbinding.patch
sparc64-fix-fault-handling-in-ngbzero.s-and-genbzero.s.patch
+macsec-dynamically-allocate-space-for-sglist.patch
+tcp-do-not-underestimate-skb-truesize-in-tcp_trim_head.patch
+net-adjust-skb-truesize-in-___pskb_trim.patch
+bpf-enhance-verifier-to-understand-stack-pointer-arithmetic.patch
+bpf-arm64-fix-jit-branch-offset-related-to-ldimm64.patch
+tcp-fix-wraparound-issue-in-tcp_lp.patch
+net-ipv6-do-not-duplicate-dad-on-link-up.patch
+net-usb-qmi_wwan-add-telit-me910-support.patch
+tcp-do-not-inherit-fastopen_req-from-parent.patch
+ipv4-ipv6-ensure-raw-socket-message-is-big-enough-to-hold-an-ip-header.patch
+rtnetlink-nul-terminate-ifla_phys_port_name-string.patch
+ipv6-initialize-route-null-entry-in-addrconf_init.patch
+ipv6-reorder-ip6_route_dev_notifier-after-ipv6_dev_notf.patch
+bnxt_en-allocate-enough-space-for-ntp_fltr_bmap.patch
+bpf-don-t-let-ldimm64-leak-map-addresses-on-unprivileged.patch
+net-mdio-mux-bcm-iproc-call-mdiobus_free-in-error-path.patch
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 3 May 2017 06:39:31 -0700
+Subject: tcp: do not inherit fastopen_req from parent
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 8b485ce69876c65db12ed390e7f9c0d2a64eff2c ]
+
+Under fuzzer stress, it is possible that a child gets a non NULL
+fastopen_req pointer from its parent at accept() time, when/if parent
+morphs from listener to active session.
+
+We need to make sure this can not happen, by clearing the field after
+socket cloning.
+
+BUG: Double free or freeing an invalid pointer
+Unexpected shadow byte: 0xFB
+CPU: 3 PID: 20933 Comm: syz-executor3 Not tainted 4.11.0+ #306
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
+01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
+ kasan_report_double_free+0x5c/0x70 mm/kasan/report.c:185
+ kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:580
+ slab_free_hook mm/slub.c:1357 [inline]
+ slab_free_freelist_hook mm/slub.c:1379 [inline]
+ slab_free mm/slub.c:2961 [inline]
+ kfree+0xe8/0x2b0 mm/slub.c:3882
+ tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline]
+ tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328
+ inet_child_forget+0xb8/0x600 net/ipv4/inet_connection_sock.c:898
+ inet_csk_reqsk_queue_add+0x1e7/0x250
+net/ipv4/inet_connection_sock.c:928
+ tcp_get_cookie_sock+0x21a/0x510 net/ipv4/syncookies.c:217
+ cookie_v4_check+0x1a19/0x28b0 net/ipv4/syncookies.c:384
+ tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1384 [inline]
+ tcp_v4_do_rcv+0x731/0x940 net/ipv4/tcp_ipv4.c:1421
+ tcp_v4_rcv+0x2dc0/0x31c0 net/ipv4/tcp_ipv4.c:1715
+ ip_local_deliver_finish+0x4cc/0xc20 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:257 [inline]
+ ip_local_deliver+0x1ce/0x700 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:492 [inline]
+ ip_rcv_finish+0xb1d/0x20b0 net/ipv4/ip_input.c:396
+ NF_HOOK include/linux/netfilter.h:257 [inline]
+ ip_rcv+0xd8c/0x19c0 net/ipv4/ip_input.c:487
+ __netif_receive_skb_core+0x1ad1/0x3400 net/core/dev.c:4210
+ __netif_receive_skb+0x2a/0x1a0 net/core/dev.c:4248
+ process_backlog+0xe5/0x6c0 net/core/dev.c:4868
+ napi_poll net/core/dev.c:5270 [inline]
+ net_rx_action+0xe70/0x18e0 net/core/dev.c:5335
+ __do_softirq+0x2fb/0xb99 kernel/softirq.c:284
+ do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:899
+ </IRQ>
+ do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328
+ do_softirq kernel/softirq.c:176 [inline]
+ __local_bh_enable_ip+0x1cf/0x1e0 kernel/softirq.c:181
+ local_bh_enable include/linux/bottom_half.h:31 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:931 [inline]
+ ip_finish_output2+0x9ab/0x15e0 net/ipv4/ip_output.c:230
+ ip_finish_output+0xa35/0xdf0 net/ipv4/ip_output.c:316
+ NF_HOOK_COND include/linux/netfilter.h:246 [inline]
+ ip_output+0x1f6/0x7b0 net/ipv4/ip_output.c:404
+ dst_output include/net/dst.h:486 [inline]
+ ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
+ ip_queue_xmit+0x9a8/0x1a10 net/ipv4/ip_output.c:503
+ tcp_transmit_skb+0x1ade/0x3470 net/ipv4/tcp_output.c:1057
+ tcp_write_xmit+0x79e/0x55b0 net/ipv4/tcp_output.c:2265
+ __tcp_push_pending_frames+0xfa/0x3a0 net/ipv4/tcp_output.c:2450
+ tcp_push+0x4ee/0x780 net/ipv4/tcp.c:683
+ tcp_sendmsg+0x128d/0x39b0 net/ipv4/tcp.c:1342
+ inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ SYSC_sendto+0x660/0x810 net/socket.c:1696
+ SyS_sendto+0x40/0x50 net/socket.c:1664
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+RIP: 0033:0x446059
+RSP: 002b:00007faa6761fb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000000446059
+RDX: 0000000000000001 RSI: 0000000020ba3fcd RDI: 0000000000000017
+RBP: 00000000006e40a0 R08: 0000000020ba4ff0 R09: 0000000000000010
+R10: 0000000020000000 R11: 0000000000000282 R12: 0000000000708150
+R13: 0000000000000000 R14: 00007faa676209c0 R15: 00007faa67620700
+Object at ffff88003b5bbcb8, in cache kmalloc-64 size: 64
+Allocated:
+PID = 20909
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:513
+ set_track mm/kasan/kasan.c:525 [inline]
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
+ kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
+ kmalloc include/linux/slab.h:490 [inline]
+ kzalloc include/linux/slab.h:663 [inline]
+ tcp_sendmsg_fastopen net/ipv4/tcp.c:1094 [inline]
+ tcp_sendmsg+0x221a/0x39b0 net/ipv4/tcp.c:1139
+ inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ SYSC_sendto+0x660/0x810 net/socket.c:1696
+ SyS_sendto+0x40/0x50 net/socket.c:1664
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+Freed:
+PID = 20909
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:513
+ set_track mm/kasan/kasan.c:525 [inline]
+ kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
+ slab_free_hook mm/slub.c:1357 [inline]
+ slab_free_freelist_hook mm/slub.c:1379 [inline]
+ slab_free mm/slub.c:2961 [inline]
+ kfree+0xe8/0x2b0 mm/slub.c:3882
+ tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline]
+ tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328
+ __inet_stream_connect+0x20c/0xf90 net/ipv4/af_inet.c:593
+ tcp_sendmsg_fastopen net/ipv4/tcp.c:1111 [inline]
+ tcp_sendmsg+0x23a8/0x39b0 net/ipv4/tcp.c:1139
+ inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ SYSC_sendto+0x660/0x810 net/socket.c:1696
+ SyS_sendto+0x40/0x50 net/socket.c:1664
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
+Fixes: 7db92362d2fe ("tcp: fix potential double free issue for fastopen_req")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_minisocks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp_minisocks.c
++++ b/net/ipv4/tcp_minisocks.c
+@@ -543,6 +543,7 @@ struct sock *tcp_create_openreq_child(co
+ newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len;
+ newtp->rx_opt.mss_clamp = req->mss;
+ tcp_ecn_openreq_child(newtp, req);
++ newtp->fastopen_req = NULL;
+ newtp->fastopen_rsk = NULL;
+ newtp->syn_data_acked = 0;
+ newtp->rack.mstamp.v64 = 0;
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 26 Apr 2017 17:15:40 -0700
+Subject: tcp: do not underestimate skb->truesize in tcp_trim_head()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7162fb242cb8322beb558828fd26b33c3e9fc805 ]
+
+Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in
+skb_try_coalesce() using syzkaller and a filter attached to a TCP
+socket over loopback interface.
+
+I believe one issue with looped skbs is that tcp_trim_head() can end up
+producing skb with under estimated truesize.
+
+It hardly matters for normal conditions, since packets sent over
+loopback are never truncated.
+
+Bytes trimmed from skb->head should not change skb truesize, since
+skb->head is not reallocated.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1246,7 +1246,7 @@ int tcp_fragment(struct sock *sk, struct
+ * eventually). The difference is that pulled data not copied, but
+ * immediately discarded.
+ */
+-static void __pskb_trim_head(struct sk_buff *skb, int len)
++static int __pskb_trim_head(struct sk_buff *skb, int len)
+ {
+ struct skb_shared_info *shinfo;
+ int i, k, eat;
+@@ -1256,7 +1256,7 @@ static void __pskb_trim_head(struct sk_b
+ __skb_pull(skb, eat);
+ len -= eat;
+ if (!len)
+- return;
++ return 0;
+ }
+ eat = len;
+ k = 0;
+@@ -1282,23 +1282,28 @@ static void __pskb_trim_head(struct sk_b
+ skb_reset_tail_pointer(skb);
+ skb->data_len -= len;
+ skb->len = skb->data_len;
++ return len;
+ }
+
+ /* Remove acked data from a packet in the transmit queue. */
+ int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len)
+ {
++ u32 delta_truesize;
++
+ if (skb_unclone(skb, GFP_ATOMIC))
+ return -ENOMEM;
+
+- __pskb_trim_head(skb, len);
++ delta_truesize = __pskb_trim_head(skb, len);
+
+ TCP_SKB_CB(skb)->seq += len;
+ skb->ip_summed = CHECKSUM_PARTIAL;
+
+- skb->truesize -= len;
+- sk->sk_wmem_queued -= len;
+- sk_mem_uncharge(sk, len);
+- sock_set_flag(sk, SOCK_QUEUE_SHRUNK);
++ if (delta_truesize) {
++ skb->truesize -= delta_truesize;
++ sk->sk_wmem_queued -= delta_truesize;
++ sk_mem_uncharge(sk, delta_truesize);
++ sock_set_flag(sk, SOCK_QUEUE_SHRUNK);
++ }
+
+ /* Any change of skb->len requires recalculation of tso factor. */
+ if (tcp_skb_pcount(skb) > 1)
--- /dev/null
+From foo@baz Thu May 11 11:08:24 CEST 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 1 May 2017 15:29:48 -0700
+Subject: tcp: fix wraparound issue in tcp_lp
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit a9f11f963a546fea9144f6a6d1a307e814a387e7 ]
+
+Be careful when comparing tcp_time_stamp to some u32 quantity,
+otherwise result can be surprising.
+
+Fixes: 7c106d7e782b ("[TCP]: TCP Low Priority congestion control")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_lp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_lp.c
++++ b/net/ipv4/tcp_lp.c
+@@ -264,13 +264,15 @@ static void tcp_lp_pkts_acked(struct soc
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct lp *lp = inet_csk_ca(sk);
++ u32 delta;
+
+ if (sample->rtt_us > 0)
+ tcp_lp_rtt_sample(sk, sample->rtt_us);
+
+ /* calc inference */
+- if (tcp_time_stamp > tp->rx_opt.rcv_tsecr)
+- lp->inference = 3 * (tcp_time_stamp - tp->rx_opt.rcv_tsecr);
++ delta = tcp_time_stamp - tp->rx_opt.rcv_tsecr;
++ if ((s32)delta > 0)
++ lp->inference = 3 * delta;
+
+ /* test if within inference */
+ if (lp->last_drop && (tcp_time_stamp - lp->last_drop < lp->inference))
projects / thirdparty / kernel / stable-queue.git / commitdiff
