--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Miguel Fadon Perlines <mfadon@teldat.com>
+Date: Thu, 5 Apr 2018 10:25:38 +0200
+Subject: arp: fix arp_filter on l3slave devices
+
+From: Miguel Fadon Perlines <mfadon@teldat.com>
+
+
+[ Upstream commit 58b35f27689b5eb514fc293c332966c226b1b6e4 ]
+
+arp_filter performs an ip_route_output search for arp source address and
+checks if output device is the same where the arp request was received,
+if it is not, the arp request is not answered.
+
+This route lookup is always done on main route table so l3slave devices
+never find the proper route and arp is not answered.
+
+Passing l3mdev_master_ifindex_rcu(dev) return value as oif fixes the
+lookup for l3slave devices while maintaining same behavior for non
+l3slave devices as this function returns 0 in that case.
+
+Fixes: 613d09b30f8b ("net: Use VRF device index for lookups on TX")
+Signed-off-by: Miguel Fadon Perlines <mfadon@teldat.com>
+Acked-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/arp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -437,7 +437,7 @@ static int arp_filter(__be32 sip, __be32
+ /*unsigned long now; */
+ struct net *net = dev_net(dev);
+
+- rt = ip_route_output(net, sip, tip, 0, 0);
++ rt = ip_route_output(net, sip, tip, 0, l3mdev_master_ifindex_rcu(dev));
+ if (IS_ERR(rt))
+ return 1;
+ if (rt->dst.dev != dev) {
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:45 +0800
+Subject: bonding: fix the err path for dev hwaddr sync in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 5c78f6bfae2b10ff70e21d343e64584ea6280c26 ]
+
+vlan_vids_add_by_dev is called right after dev hwaddr sync, so on
+the err path it should unsync dev hwaddr. Otherwise, the slave
+dev's hwaddr will never be unsync when this err happens.
+
+Fixes: 1ff412ad7714 ("bonding: change the bond's vlan syncing functions with the standard ones")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1561,7 +1561,7 @@ int bond_enslave(struct net_device *bond
+ if (res) {
+ netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
+ slave_dev->name);
+- goto err_close;
++ goto err_hwaddr_unsync;
+ }
+
+ prev_slave = bond_last_slave(bond);
+@@ -1749,9 +1749,6 @@ err_unregister:
+ netdev_rx_handler_unregister(slave_dev);
+
+ err_detach:
+- if (!bond_uses_primary(bond))
+- bond_hw_addr_flush(bond_dev, slave_dev);
+-
+ vlan_vids_del_by_dev(slave_dev, bond_dev);
+ if (rcu_access_pointer(bond->primary_slave) == new_slave)
+ RCU_INIT_POINTER(bond->primary_slave, NULL);
+@@ -1765,6 +1762,10 @@ err_detach:
+ synchronize_rcu();
+ slave_disable_netpoll(new_slave);
+
++err_hwaddr_unsync:
++ if (!bond_uses_primary(bond))
++ bond_hw_addr_flush(bond_dev, slave_dev);
++
+ err_close:
+ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:46 +0800
+Subject: bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ae42cc62a9f07f1f6979054ed92606b9c30f4a2e ]
+
+Beniamino found a crash when adding vlan as slave of bond which is also
+the parent link:
+
+ ip link add bond1 type bond
+ ip link set bond1 up
+ ip link add link bond1 vlan1 type vlan id 80
+ ip link set vlan1 master bond1
+
+The call trace is as below:
+
+ [<ffffffffa850842a>] queued_spin_lock_slowpath+0xb/0xf
+ [<ffffffffa8515680>] _raw_spin_lock+0x20/0x30
+ [<ffffffffa83f6f07>] dev_mc_sync+0x37/0x80
+ [<ffffffffc08687dc>] vlan_dev_set_rx_mode+0x1c/0x30 [8021q]
+ [<ffffffffa83efd2a>] __dev_set_rx_mode+0x5a/0xa0
+ [<ffffffffa83f7138>] dev_mc_sync_multiple+0x78/0x80
+ [<ffffffffc084127c>] bond_enslave+0x67c/0x1190 [bonding]
+ [<ffffffffa8401909>] do_setlink+0x9c9/0xe50
+ [<ffffffffa8403bf2>] rtnl_newlink+0x522/0x880
+ [<ffffffffa8403ff7>] rtnetlink_rcv_msg+0xa7/0x260
+ [<ffffffffa8424ecb>] netlink_rcv_skb+0xab/0xc0
+ [<ffffffffa83fe498>] rtnetlink_rcv+0x28/0x30
+ [<ffffffffa8424850>] netlink_unicast+0x170/0x210
+ [<ffffffffa8424bf8>] netlink_sendmsg+0x308/0x420
+ [<ffffffffa83cc396>] sock_sendmsg+0xb6/0xf0
+
+This is actually a dead lock caused by sync slave hwaddr from master when
+the master is the slave's 'slave'. This dead loop check is actually done
+by netdev_master_upper_dev_link. However, Commit 1f718f0f4f97 ("bonding:
+populate neighbour's private on enslave") moved it after dev_mc_sync.
+
+This patch is to fix it by moving dev_mc_sync after master_upper_dev_link,
+so that this loop check would be earlier than dev_mc_sync. It also moves
+if (mode == BOND_MODE_8023AD) into if (!bond_uses_primary) clause as an
+improvement.
+
+Note team driver also has this issue, I will fix it in another patch.
+
+Fixes: 1f718f0f4f97 ("bonding: populate neighbour's private on enslave")
+Reported-by: Beniamino Galvani <bgalvani@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 73 +++++++++++++++++++---------------------
+ 1 file changed, 35 insertions(+), 38 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1524,44 +1524,11 @@ int bond_enslave(struct net_device *bond
+ goto err_close;
+ }
+
+- /* If the mode uses primary, then the following is handled by
+- * bond_change_active_slave().
+- */
+- if (!bond_uses_primary(bond)) {
+- /* set promiscuity level to new slave */
+- if (bond_dev->flags & IFF_PROMISC) {
+- res = dev_set_promiscuity(slave_dev, 1);
+- if (res)
+- goto err_close;
+- }
+-
+- /* set allmulti level to new slave */
+- if (bond_dev->flags & IFF_ALLMULTI) {
+- res = dev_set_allmulti(slave_dev, 1);
+- if (res)
+- goto err_close;
+- }
+-
+- netif_addr_lock_bh(bond_dev);
+-
+- dev_mc_sync_multiple(slave_dev, bond_dev);
+- dev_uc_sync_multiple(slave_dev, bond_dev);
+-
+- netif_addr_unlock_bh(bond_dev);
+- }
+-
+- if (BOND_MODE(bond) == BOND_MODE_8023AD) {
+- /* add lacpdu mc addr to mc list */
+- u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
+-
+- dev_mc_add(slave_dev, lacpdu_multicast);
+- }
+-
+ res = vlan_vids_add_by_dev(slave_dev, bond_dev);
+ if (res) {
+ netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
+ slave_dev->name);
+- goto err_hwaddr_unsync;
++ goto err_close;
+ }
+
+ prev_slave = bond_last_slave(bond);
+@@ -1719,6 +1686,37 @@ int bond_enslave(struct net_device *bond
+ goto err_upper_unlink;
+ }
+
++ /* If the mode uses primary, then the following is handled by
++ * bond_change_active_slave().
++ */
++ if (!bond_uses_primary(bond)) {
++ /* set promiscuity level to new slave */
++ if (bond_dev->flags & IFF_PROMISC) {
++ res = dev_set_promiscuity(slave_dev, 1);
++ if (res)
++ goto err_sysfs_del;
++ }
++
++ /* set allmulti level to new slave */
++ if (bond_dev->flags & IFF_ALLMULTI) {
++ res = dev_set_allmulti(slave_dev, 1);
++ if (res)
++ goto err_sysfs_del;
++ }
++
++ netif_addr_lock_bh(bond_dev);
++ dev_mc_sync_multiple(slave_dev, bond_dev);
++ dev_uc_sync_multiple(slave_dev, bond_dev);
++ netif_addr_unlock_bh(bond_dev);
++
++ if (BOND_MODE(bond) == BOND_MODE_8023AD) {
++ /* add lacpdu mc addr to mc list */
++ u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
++
++ dev_mc_add(slave_dev, lacpdu_multicast);
++ }
++ }
++
+ bond->slave_cnt++;
+ bond_compute_features(bond);
+ bond_set_carrier(bond);
+@@ -1742,6 +1740,9 @@ int bond_enslave(struct net_device *bond
+ return 0;
+
+ /* Undo stages on error */
++err_sysfs_del:
++ bond_sysfs_slave_del(new_slave);
++
+ err_upper_unlink:
+ bond_upper_dev_unlink(bond, new_slave);
+
+@@ -1762,10 +1763,6 @@ err_detach:
+ synchronize_rcu();
+ slave_disable_netpoll(new_slave);
+
+-err_hwaddr_unsync:
+- if (!bond_uses_primary(bond))
+- bond_hw_addr_flush(bond_dev, slave_dev);
+-
+ err_close:
+ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:47 +0800
+Subject: bonding: process the err returned by dev_set_allmulti properly in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 9f5a90c107741b864398f4ac0014711a8c1d8474 ]
+
+When dev_set_promiscuity(1) succeeds but dev_set_allmulti(1) fails,
+dev_set_promiscuity(-1) should be done before going to the err path.
+Otherwise, dev->promiscuity will leak.
+
+Fixes: 7e1a1ac1fbaa ("bonding: Check return of dev_set_promiscuity/allmulti")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1700,8 +1700,11 @@ int bond_enslave(struct net_device *bond
+ /* set allmulti level to new slave */
+ if (bond_dev->flags & IFF_ALLMULTI) {
+ res = dev_set_allmulti(slave_dev, 1);
+- if (res)
++ if (res) {
++ if (bond_dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(slave_dev, -1);
+ goto err_sysfs_del;
++ }
+ }
+
+ netif_addr_lock_bh(bond_dev);
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:29 -0700
+Subject: ip6_gre: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 5f42df013b8bc1b6511af7a04bf93b014884ae2a ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
+Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466
+
+CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
+ ip6gre_tunnel_ioctl+0x69d/0x12e0 net/ipv6/ip6_gre.c:1195
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -319,11 +319,13 @@ static struct ip6_tnl *ip6gre_tunnel_loc
+ if (t || !create)
+ return t;
+
+- if (parms->name[0])
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ return NULL;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else
++ } else {
+ strcpy(name, "ip6gre%d");
+-
++ }
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ip6gre_tunnel_setup);
+ if (!dev)
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:30 -0700
+Subject: ip6_tunnel: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257 ]
+
+Use valid_name() to make sure user does not provide illegal
+device name.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -298,13 +298,16 @@ static struct ip6_tnl *ip6_tnl_create(st
+ struct net_device *dev;
+ struct ip6_tnl *t;
+ char name[IFNAMSIZ];
+- int err = -ENOMEM;
++ int err = -E2BIG;
+
+- if (p->name[0])
++ if (p->name[0]) {
++ if (!dev_valid_name(p->name))
++ goto failed;
+ strlcpy(name, p->name, IFNAMSIZ);
+- else
++ } else {
+ sprintf(name, "ip6tnl%%d");
+-
++ }
++ err = -ENOMEM;
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ip6_tnl_dev_setup);
+ if (!dev)
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:27 -0700
+Subject: ip_tunnel: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 9cb726a212a82c88c98aa9f0037fd04777cd8fe5 ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
+Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482
+
+CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
+ ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline]
+ ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861
+ ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -253,13 +253,14 @@ static struct net_device *__ip_tunnel_cr
+ struct net_device *dev;
+ char name[IFNAMSIZ];
+
+- if (parms->name[0])
++ err = -E2BIG;
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ goto failed;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else {
+- if (strlen(ops->kind) > (IFNAMSIZ - 3)) {
+- err = -E2BIG;
++ } else {
++ if (strlen(ops->kind) > (IFNAMSIZ - 3))
+ goto failed;
+- }
+ strlcpy(name, ops->kind, IFNAMSIZ);
+ strncat(name, "%d", 2);
+ }
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:28 -0700
+Subject: ipv6: sit: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit b95211e066fc3494b7c115060b2297b4ba21f025 ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
+Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453
+
+CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
+ ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -244,11 +244,13 @@ static struct ip_tunnel *ipip6_tunnel_lo
+ if (!create)
+ goto failed;
+
+- if (parms->name[0])
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ goto failed;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else
++ } else {
+ strcpy(name, "sit%d");
+-
++ }
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ipip6_tunnel_setup);
+ if (!dev)
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 23 Mar 2018 14:47:30 +0100
+Subject: ipv6: the entire IPv6 header chain must fit the first fragment
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+
+[ Upstream commit 10b8a3de603df7b96004179b1b33b1708c76d144 ]
+
+While building ipv6 datagram we currently allow arbitrary large
+extheaders, even beyond pmtu size. The syzbot has found a way
+to exploit the above to trigger the following splat:
+
+kernel BUG at ./include/linux/skbuff.h:2073!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 4230 Comm: syzkaller672661 Not tainted 4.16.0-rc2+ #326
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:__skb_pull include/linux/skbuff.h:2073 [inline]
+RIP: 0010:__ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636
+RSP: 0018:ffff8801bc18f0f0 EFLAGS: 00010293
+RAX: ffff8801b17400c0 RBX: 0000000000000738 RCX: ffffffff84f01828
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801b415ac18
+RBP: ffff8801bc18f360 R08: ffff8801b4576844 R09: 0000000000000000
+R10: ffff8801bc18f380 R11: ffffed00367aee4e R12: 00000000000000d6
+R13: ffff8801b415a740 R14: dffffc0000000000 R15: ffff8801b45767c0
+FS: 0000000001535880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000002000b000 CR3: 00000001b4123001 CR4: 00000000001606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ip6_finish_skb include/net/ipv6.h:969 [inline]
+ udp_v6_push_pending_frames+0x269/0x3b0 net/ipv6/udp.c:1073
+ udpv6_sendmsg+0x2a96/0x3400 net/ipv6/udp.c:1343
+ inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:640
+ ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046
+ __sys_sendmmsg+0x1ee/0x620 net/socket.c:2136
+ SYSC_sendmmsg net/socket.c:2167 [inline]
+ SyS_sendmmsg+0x35/0x60 net/socket.c:2162
+ do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4404c9
+RSP: 002b:00007ffdce35f948 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404c9
+RDX: 0000000000000003 RSI: 0000000020001f00 RDI: 0000000000000003
+RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 0000000020000080 R11: 0000000000000217 R12: 0000000000401df0
+R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000
+Code: ff e8 1d 5e b9 fc e9 15 e9 ff ff e8 13 5e b9 fc e9 44 e8 ff ff e8 29
+5e b9 fc e9 c0 e6 ff ff e8 3f f3 80 fc 0f 0b e8 38 f3 80 fc <0f> 0b 49 8d
+87 80 00 00 00 4d 8d 87 84 00 00 00 48 89 85 20 fe
+RIP: __skb_pull include/linux/skbuff.h:2073 [inline] RSP: ffff8801bc18f0f0
+RIP: __ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 RSP:
+ffff8801bc18f0f0
+
+As stated by RFC 7112 section 5:
+
+ When a host fragments an IPv6 datagram, it MUST include the entire
+ IPv6 Header Chain in the First Fragment.
+
+So this patch addresses the issue dropping datagrams with excessive
+extheader length. It also updates the error path to report to the
+calling socket nonnegative pmtu values.
+
+The issue apparently predates git history.
+
+v1 -> v2: cleanup error path, as per Eric's suggestion
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1291,7 +1291,7 @@ static int __ip6_append_data(struct sock
+ const struct sockcm_cookie *sockc)
+ {
+ struct sk_buff *skb, *skb_prev = NULL;
+- unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu;
++ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, pmtu;
+ int exthdrlen = 0;
+ int dst_exthdrlen = 0;
+ int hh_len;
+@@ -1327,6 +1327,12 @@ static int __ip6_append_data(struct sock
+ sizeof(struct frag_hdr) : 0) +
+ rt->rt6i_nfheader_len;
+
++ /* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
++ * the first fragment
++ */
++ if (headersize + transhdrlen > mtu)
++ goto emsgsize;
++
+ if (cork->length + length > mtu - headersize && ipc6->dontfrag &&
+ (sk->sk_protocol == IPPROTO_UDP ||
+ sk->sk_protocol == IPPROTO_RAW)) {
+@@ -1342,9 +1348,8 @@ static int __ip6_append_data(struct sock
+
+ if (cork->length + length > maxnonfragsize - headersize) {
+ emsgsize:
+- ipv6_local_error(sk, EMSGSIZE, fl6,
+- mtu - headersize +
+- sizeof(struct ipv6hdr));
++ pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
++ ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
+ return -EMSGSIZE;
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 26 Mar 2018 08:08:07 -0700
+Subject: net: fix possible out-of-bound read in skb_network_protocol()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ]
+
+skb mac header is not necessarily set at the time skb_network_protocol()
+is called. Use skb->data instead.
+
+BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
+Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242
+
+CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x24d lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x23c/0x360 mm/kasan/report.c:412
+ __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
+ skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
+ harmonize_features net/core/dev.c:2924 [inline]
+ netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
+ validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
+ validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
+ packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
+ packet_snd net/packet/af_packet.c:2944 [inline]
+ packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:639
+ ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
+ __sys_sendmsg+0xe5/0x210 net/socket.c:2081
+
+Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Pravin B Shelar <pshelar@ovn.org>
+Reported-by: Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2667,7 +2667,7 @@ __be16 skb_network_protocol(struct sk_bu
+ if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
+ return 0;
+
+- eth = (struct ethhdr *)skb_mac_header(skb);
++ eth = (struct ethhdr *)skb->data;
+ type = eth->h_proto;
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:26 -0700
+Subject: net: fool proof dev_valid_name()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit a9d48205d0aedda021fc3728972a9e9934c2b9de ]
+
+We want to use dev_valid_name() to validate tunnel names,
+so better use strnlen(name, IFNAMSIZ) than strlen(name) to make
+sure to not upset KASAN.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -993,7 +993,7 @@ bool dev_valid_name(const char *name)
+ {
+ if (*name == '\0')
+ return false;
+- if (strlen(name) >= IFNAMSIZ)
++ if (strnlen(name, IFNAMSIZ) == IFNAMSIZ)
+ return false;
+ if (!strcmp(name, ".") || !strcmp(name, ".."))
+ return false;
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Thu, 29 Mar 2018 17:44:57 -0700
+Subject: net/ipv6: Fix route leaking between VRFs
+
+From: David Ahern <dsahern@gmail.com>
+
+
+[ Upstream commit b6cdbc85234b072340b8923e69f49ec293f905dc ]
+
+Donald reported that IPv6 route leaking between VRFs is not working.
+The root cause is the strict argument in the call to rt6_lookup when
+validating the nexthop spec.
+
+ip6_route_check_nh validates the gateway and device (if given) of a
+route spec. It in turn could call rt6_lookup (e.g., lookup in a given
+table did not succeed so it falls back to a full lookup) and if so
+sets the strict argument to 1. That means if the egress device is given,
+the route lookup needs to return a result with the same device. This
+strict requirement does not work with VRFs (IPv4 or IPv6) because the
+oif in the flow struct is overridden with the index of the VRF device
+to trigger a match on the l3mdev rule and force the lookup to its table.
+
+The right long term solution is to add an l3mdev index to the flow
+struct such that the oif is not overridden. That solution will not
+backport well, so this patch aims for a simpler solution to relax the
+strict argument if the route spec device is an l3mdev slave. As done
+in other places, use the FLOWI_FLAG_SKIP_NH_OIF to know that the
+RT6_LOOKUP_F_IFACE flag needs to be removed.
+
+Fixes: ca254490c8df ("net: Add VRF support to IPv6 stack")
+Reported-by: Donald Sharp <sharpd@cumulusnetworks.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -856,6 +856,9 @@ static struct rt6_info *ip6_pol_route_lo
+ struct fib6_node *fn;
+ struct rt6_info *rt;
+
++ if (fl6->flowi6_flags & FLOWI_FLAG_SKIP_NH_OIF)
++ flags &= ~RT6_LOOKUP_F_IFACE;
++
+ read_lock_bh(&table->tb6_lock);
+ fn = fib6_lookup(&table->tb6_root, &fl6->daddr, &fl6->saddr);
+ restart:
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Jeff Barnhill <0xeffeff@gmail.com>
+Date: Thu, 5 Apr 2018 21:29:47 +0000
+Subject: net/ipv6: Increment OUTxxx counters after netfilter hook
+
+From: Jeff Barnhill <0xeffeff@gmail.com>
+
+
+[ Upstream commit 71a1c915238c970cd9bdd5bf158b1279d6b6d55b ]
+
+At the end of ip6_forward(), IPSTATS_MIB_OUTFORWDATAGRAMS and
+IPSTATS_MIB_OUTOCTETS are incremented immediately before the NF_HOOK call
+for NFPROTO_IPV6 / NF_INET_FORWARD. As a result, these counters get
+incremented regardless of whether or not the netfilter hook allows the
+packet to continue being processed. This change increments the counters
+in ip6_forward_finish() so that it will not happen if the netfilter hook
+chooses to terminate the packet, which is similar to how IPv4 works.
+
+Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -356,6 +356,11 @@ static int ip6_forward_proxy_check(struc
+ static inline int ip6_forward_finish(struct net *net, struct sock *sk,
+ struct sk_buff *skb)
+ {
++ struct dst_entry *dst = skb_dst(skb);
++
++ __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
++ __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
++
+ return dst_output(net, sk, skb);
+ }
+
+@@ -549,8 +554,6 @@ int ip6_forward(struct sk_buff *skb)
+
+ hdr->hop_limit--;
+
+- __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
+- __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
+ return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD,
+ net, NULL, skb, skb->dev, dst->dev,
+ ip6_forward_finish);
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Tue, 27 Mar 2018 14:41:19 +0300
+Subject: net/mlx4_core: Fix memory leak while delete slave's resources
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+
+[ Upstream commit 461d5f1b59490ce0096dfda45e10038c122a7892 ]
+
+mlx4_delete_all_resources_for_slave in resource tracker should free all
+memory allocated for a slave.
+While releasing memory of fs_rule, it misses releasing memory of
+fs_rule->mirr_mbox.
+
+Fixes: 78efed275117 ('net/mlx4_core: Support mirroring VF DMFS rules on both ports')
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+@@ -5048,6 +5048,7 @@ static void rem_slave_fs_rule(struct mlx
+ &tracker->res_tree[RES_FS_RULE]);
+ list_del(&fs_rule->com.list);
+ spin_unlock_irq(mlx4_tlock(dev));
++ kfree(fs_rule->mirr_mbox);
+ kfree(fs_rule);
+ state = 0;
+ break;
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eran Ben Elisha <eranbe@mellanox.com>
+Date: Tue, 27 Mar 2018 14:41:18 +0300
+Subject: net/mlx4_en: Fix mixed PFC and Global pause user control requests
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+
+[ Upstream commit 6e8814ceb7e8f468659ef9253bd212c07ae19584 ]
+
+Global pause and PFC configuration should be mutually exclusive (i.e. only
+one of them at most can be set). However, once PFC was turned off,
+driver automatically turned Global pause on. This is a bug.
+
+Fix the driver behaviour to turn off PFC/Global once the user turned the
+other on.
+
+This also fixed a weird behaviour that at a current time, the profile
+had both PFC and global pause configuration turned on, which is
+Hardware-wise impossible and caused returning false positive indication
+to query tools.
+
+In addition, fix error code when setting global pause or PFC to change
+metadata only upon successful change.
+
+Also, removed useless debug print.
+
+Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands")
+Fixes: c27a02cd94d6 ("mlx4_en: Add driver for Mellanox ConnectX 10GbE NIC")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 72 +++++++++++++-----------
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 33 ++++++-----
+ drivers/net/ethernet/mellanox/mlx4/en_main.c | 4 -
+ 3 files changed, 62 insertions(+), 47 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c
+@@ -156,57 +156,63 @@ static int mlx4_en_dcbnl_getnumtcs(struc
+ static u8 mlx4_en_dcbnl_set_all(struct net_device *netdev)
+ {
+ struct mlx4_en_priv *priv = netdev_priv(netdev);
++ struct mlx4_en_port_profile *prof = priv->prof;
+ struct mlx4_en_dev *mdev = priv->mdev;
++ u8 tx_pause, tx_ppp, rx_pause, rx_ppp;
+
+ if (!(priv->dcbx_cap & DCB_CAP_DCBX_VER_CEE))
+ return 1;
+
+ if (priv->cee_config.pfc_state) {
+ int tc;
++ rx_ppp = prof->rx_ppp;
++ tx_ppp = prof->tx_ppp;
+
+- priv->prof->rx_pause = 0;
+- priv->prof->tx_pause = 0;
+ for (tc = 0; tc < CEE_DCBX_MAX_PRIO; tc++) {
+ u8 tc_mask = 1 << tc;
+
+ switch (priv->cee_config.dcb_pfc[tc]) {
+ case pfc_disabled:
+- priv->prof->tx_ppp &= ~tc_mask;
+- priv->prof->rx_ppp &= ~tc_mask;
++ tx_ppp &= ~tc_mask;
++ rx_ppp &= ~tc_mask;
+ break;
+ case pfc_enabled_full:
+- priv->prof->tx_ppp |= tc_mask;
+- priv->prof->rx_ppp |= tc_mask;
++ tx_ppp |= tc_mask;
++ rx_ppp |= tc_mask;
+ break;
+ case pfc_enabled_tx:
+- priv->prof->tx_ppp |= tc_mask;
+- priv->prof->rx_ppp &= ~tc_mask;
++ tx_ppp |= tc_mask;
++ rx_ppp &= ~tc_mask;
+ break;
+ case pfc_enabled_rx:
+- priv->prof->tx_ppp &= ~tc_mask;
+- priv->prof->rx_ppp |= tc_mask;
++ tx_ppp &= ~tc_mask;
++ rx_ppp |= tc_mask;
+ break;
+ default:
+ break;
+ }
+ }
+- en_dbg(DRV, priv, "Set pfc on\n");
++ rx_pause = !!(rx_ppp || tx_ppp) ? 0 : prof->rx_pause;
++ tx_pause = !!(rx_ppp || tx_ppp) ? 0 : prof->tx_pause;
+ } else {
+- priv->prof->rx_pause = 1;
+- priv->prof->tx_pause = 1;
+- en_dbg(DRV, priv, "Set pfc off\n");
++ rx_ppp = 0;
++ tx_ppp = 0;
++ rx_pause = prof->rx_pause;
++ tx_pause = prof->tx_pause;
+ }
+
+ if (mlx4_SET_PORT_general(mdev->dev, priv->port,
+ priv->rx_skb_size + ETH_FCS_LEN,
+- priv->prof->tx_pause,
+- priv->prof->tx_ppp,
+- priv->prof->rx_pause,
+- priv->prof->rx_ppp)) {
++ tx_pause, tx_ppp, rx_pause, rx_ppp)) {
+ en_err(priv, "Failed setting pause params\n");
+ return 1;
+ }
+
++ prof->tx_ppp = tx_ppp;
++ prof->rx_ppp = rx_ppp;
++ prof->tx_pause = tx_pause;
++ prof->rx_pause = rx_pause;
++
+ return 0;
+ }
+
+@@ -408,6 +414,7 @@ static int mlx4_en_dcbnl_ieee_setpfc(str
+ struct mlx4_en_priv *priv = netdev_priv(dev);
+ struct mlx4_en_port_profile *prof = priv->prof;
+ struct mlx4_en_dev *mdev = priv->mdev;
++ u32 tx_pause, tx_ppp, rx_pause, rx_ppp;
+ int err;
+
+ en_dbg(DRV, priv, "cap: 0x%x en: 0x%x mbc: 0x%x delay: %d\n",
+@@ -416,23 +423,26 @@ static int mlx4_en_dcbnl_ieee_setpfc(str
+ pfc->mbc,
+ pfc->delay);
+
+- prof->rx_pause = !pfc->pfc_en;
+- prof->tx_pause = !pfc->pfc_en;
+- prof->rx_ppp = pfc->pfc_en;
+- prof->tx_ppp = pfc->pfc_en;
++ rx_pause = prof->rx_pause && !pfc->pfc_en;
++ tx_pause = prof->tx_pause && !pfc->pfc_en;
++ rx_ppp = pfc->pfc_en;
++ tx_ppp = pfc->pfc_en;
+
+ err = mlx4_SET_PORT_general(mdev->dev, priv->port,
+ priv->rx_skb_size + ETH_FCS_LEN,
+- prof->tx_pause,
+- prof->tx_ppp,
+- prof->rx_pause,
+- prof->rx_ppp);
+- if (err)
++ tx_pause, tx_ppp, rx_pause, rx_ppp);
++ if (err) {
+ en_err(priv, "Failed setting pause params\n");
+- else
+- mlx4_en_update_pfc_stats_bitmap(mdev->dev, &priv->stats_bitmap,
+- prof->rx_ppp, prof->rx_pause,
+- prof->tx_ppp, prof->tx_pause);
++ return err;
++ }
++
++ mlx4_en_update_pfc_stats_bitmap(mdev->dev, &priv->stats_bitmap,
++ rx_ppp, rx_pause, tx_ppp, tx_pause);
++
++ prof->tx_ppp = tx_ppp;
++ prof->rx_ppp = rx_ppp;
++ prof->rx_pause = rx_pause;
++ prof->tx_pause = tx_pause;
+
+ return err;
+ }
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1003,27 +1003,32 @@ static int mlx4_en_set_pauseparam(struct
+ {
+ struct mlx4_en_priv *priv = netdev_priv(dev);
+ struct mlx4_en_dev *mdev = priv->mdev;
++ u8 tx_pause, tx_ppp, rx_pause, rx_ppp;
+ int err;
+
+ if (pause->autoneg)
+ return -EINVAL;
+
+- priv->prof->tx_pause = pause->tx_pause != 0;
+- priv->prof->rx_pause = pause->rx_pause != 0;
++ tx_pause = !!(pause->tx_pause);
++ rx_pause = !!(pause->rx_pause);
++ rx_ppp = priv->prof->rx_ppp && !(tx_pause || rx_pause);
++ tx_ppp = priv->prof->tx_ppp && !(tx_pause || rx_pause);
++
+ err = mlx4_SET_PORT_general(mdev->dev, priv->port,
+ priv->rx_skb_size + ETH_FCS_LEN,
+- priv->prof->tx_pause,
+- priv->prof->tx_ppp,
+- priv->prof->rx_pause,
+- priv->prof->rx_ppp);
+- if (err)
+- en_err(priv, "Failed setting pause params\n");
+- else
+- mlx4_en_update_pfc_stats_bitmap(mdev->dev, &priv->stats_bitmap,
+- priv->prof->rx_ppp,
+- priv->prof->rx_pause,
+- priv->prof->tx_ppp,
+- priv->prof->tx_pause);
++ tx_pause, tx_ppp, rx_pause, rx_ppp);
++ if (err) {
++ en_err(priv, "Failed setting pause params, err = %d\n", err);
++ return err;
++ }
++
++ mlx4_en_update_pfc_stats_bitmap(mdev->dev, &priv->stats_bitmap,
++ rx_ppp, rx_pause, tx_ppp, tx_pause);
++
++ priv->prof->tx_pause = tx_pause;
++ priv->prof->rx_pause = rx_pause;
++ priv->prof->tx_ppp = tx_ppp;
++ priv->prof->rx_ppp = rx_ppp;
+
+ return err;
+ }
+--- a/drivers/net/ethernet/mellanox/mlx4/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_main.c
+@@ -163,9 +163,9 @@ static int mlx4_en_get_profile(struct ml
+ params->udp_rss = 0;
+ }
+ for (i = 1; i <= MLX4_MAX_PORTS; i++) {
+- params->prof[i].rx_pause = 1;
++ params->prof[i].rx_pause = !(pfcrx || pfctx);
+ params->prof[i].rx_ppp = pfcrx;
+- params->prof[i].tx_pause = 1;
++ params->prof[i].tx_pause = !(pfcrx || pfctx);
+ params->prof[i].tx_ppp = pfctx;
+ params->prof[i].tx_ring_size = MLX4_EN_DEF_TX_RING_SIZE;
+ params->prof[i].rx_ring_size = MLX4_EN_DEF_RX_RING_SIZE;
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Shahar Klein <shahark@mellanox.com>
+Date: Tue, 20 Mar 2018 14:44:40 +0200
+Subject: net/mlx5e: Sync netdev vxlan ports at open
+
+From: Shahar Klein <shahark@mellanox.com>
+
+
+[ Upstream commit a117f73dc2430443f23e18367fa545981129c1a6 ]
+
+When mlx5_core is loaded it is expected to sync ports
+with all vxlan devices so it can support vxlan encap/decap.
+This is done via udp_tunnel_get_rx_info(). Currently this
+call is set in mlx5e_nic_enable() and if the netdev is not in
+NETREG_REGISTERED state it will not be called.
+
+Normally on load the netdev state is not NETREG_REGISTERED
+so udp_tunnel_get_rx_info() will not be called.
+
+Moving udp_tunnel_get_rx_info() to mlx5e_open() so
+it will be called on netdev UP event and allow encap/decap.
+
+Fixes: 610e89e05c3f ("net/mlx5e: Don't sync netdev state when not registered")
+Signed-off-by: Shahar Klein <shahark@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -2741,6 +2741,9 @@ static int set_feature_lro(struct net_de
+
+ mutex_unlock(&priv->state_lock);
+
++ if (mlx5e_vxlan_allowed(priv->mdev))
++ udp_tunnel_get_rx_info(netdev);
++
+ return err;
+ }
+
+@@ -3785,13 +3788,6 @@ static void mlx5e_nic_enable(struct mlx5
+ if (netdev->reg_state != NETREG_REGISTERED)
+ return;
+
+- /* Device already registered: sync netdev system state */
+- if (mlx5e_vxlan_allowed(mdev)) {
+- rtnl_lock();
+- udp_tunnel_get_rx_info(netdev);
+- rtnl_unlock();
+- }
+-
+ queue_work(priv->wq, &priv->set_rx_mode_work);
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Craig Dillabaugh <cdillaba@mojatatu.com>
+Date: Mon, 26 Mar 2018 14:58:32 -0400
+Subject: net sched actions: fix dumping which requires several messages to user space
+
+From: Craig Dillabaugh <cdillaba@mojatatu.com>
+
+
+[ Upstream commit 734549eb550c0c720bc89e50501f1b1e98cdd841 ]
+
+Fixes a bug in the tcf_dump_walker function that can cause some actions
+to not be reported when dumping a large number of actions. This issue
+became more aggrevated when cookies feature was added. In particular
+this issue is manifest when large cookie values are assigned to the
+actions and when enough actions are created that the resulting table
+must be dumped in multiple batches.
+
+The number of actions returned in each batch is limited by the total
+number of actions and the memory buffer size. With small cookies
+the numeric limit is reached before the buffer size limit, which avoids
+the code path triggering this bug. When large cookies are used buffer
+fills before the numeric limit, and the erroneous code path is hit.
+
+For example after creating 32 csum actions with the cookie
+aaaabbbbccccdddd
+
+$ tc actions ls action csum
+total acts 26
+
+ action order 0: csum (tcp) action continue
+ index 1 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+ .....
+
+ action order 25: csum (tcp) action continue
+ index 26 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+total acts 6
+
+ action order 0: csum (tcp) action continue
+ index 28 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+ ......
+
+ action order 5: csum (tcp) action continue
+ index 32 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+Note that the action with index 27 is omitted from the report.
+
+Fixes: 4b3550ef530c ("[NET_SCHED]: Use nla_nest_start/nla_nest_end")"
+Signed-off-by: Craig Dillabaugh <cdillaba@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_api.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -95,8 +95,10 @@ static int tcf_dump_walker(struct tcf_ha
+ continue;
+
+ nest = nla_nest_start(skb, n_i);
+- if (nest == NULL)
++ if (nest == NULL) {
++ index--;
+ goto nla_put_failure;
++ }
+ err = tcf_action_dump_1(skb, p, 0, 0);
+ if (err < 0) {
+ index--;
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 6 Apr 2018 01:19:37 +0200
+Subject: net/sched: fix NULL dereference in the error path of tcf_bpf_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+
+[ Upstream commit 3239534a79ee6f20cffd974173a1e62e0730e8ac ]
+
+when tcf_bpf_init_from_ops() fails (e.g. because of program having invalid
+number of instructions), tcf_bpf_cfg_cleanup() calls bpf_prog_put(NULL) or
+bpf_prog_destroy(NULL). Unless CONFIG_BPF_SYSCALL is unset, this causes
+the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ PGD 800000007345a067 P4D 800000007345a067 PUD 340e1067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ Modules linked in: act_bpf(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd glue_helper cryptd joydev snd_timer snd virtio_balloon pcspkr soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console i2c_core crc32c_intel serio_raw virtio_pci ata_piix libata virtio_ring floppy virtio dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_bpf]
+ CPU: 3 PID: 5654 Comm: tc Tainted: G E 4.16.0.bpf_test+ #408
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:__bpf_prog_put+0xc/0xc0
+ RSP: 0018:ffff9594003ef728 EFLAGS: 00010202
+ RAX: 0000000000000000 RBX: ffff9594003ef758 RCX: 0000000000000024
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
+ R10: 0000000000000220 R11: ffff8a7ab9f17131 R12: 0000000000000000
+ R13: ffff8a7ab7c3c8e0 R14: 0000000000000001 R15: ffff8a7ab88f1054
+ FS: 00007fcb2f17c740(0000) GS:ffff8a7abfd80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000020 CR3: 000000007c888006 CR4: 00000000001606e0
+ Call Trace:
+ tcf_bpf_cfg_cleanup+0x2f/0x40 [act_bpf]
+ tcf_bpf_cleanup+0x4c/0x70 [act_bpf]
+ __tcf_idr_release+0x79/0x140
+ tcf_bpf_init+0x125/0x330 [act_bpf]
+ tcf_action_init_1+0x2cc/0x430
+ ? get_page_from_freelist+0x3f0/0x11b0
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.29+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ ? mem_cgroup_commit_charge+0x80/0x130
+ ? page_add_new_anon_rmap+0x73/0xc0
+ ? do_anonymous_page+0x2a2/0x560
+ ? __handle_mm_fault+0xc75/0xe20
+ __sys_sendmsg+0x58/0xa0
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7fcb2e58eba0
+ RSP: 002b:00007ffc93c496c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007ffc93c497f0 RCX: 00007fcb2e58eba0
+ RDX: 0000000000000000 RSI: 00007ffc93c49740 RDI: 0000000000000003
+ RBP: 000000005ac6a646 R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007ffc93c49120 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007ffc93c49804 R14: 0000000000000001 R15: 000000000066afa0
+ Code: 5f 00 48 8b 43 20 48 c7 c7 70 2f 7c b8 c7 40 10 00 00 00 00 5b e9 a5 8b 61 00 0f 1f 44 00 00 0f 1f 44 00 00 41 54 55 48 89 fd 53 <48> 8b 47 20 f0 ff 08 74 05 5b 5d 41 5c c3 41 89 f4 0f 1f 44 00
+ RIP: __bpf_prog_put+0xc/0xc0 RSP: ffff9594003ef728
+ CR2: 0000000000000020
+
+Fix it in tcf_bpf_cfg_cleanup(), ensuring that bpf_prog_{put,destroy}(f)
+is called only when f is not NULL.
+
+Fixes: bbc09e7842a5 ("net/sched: fix idr leak on the error path of tcf_bpf_init()")
+Reported-by: Lucas Bates <lucasb@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_bpf.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/sched/act_bpf.c
++++ b/net/sched/act_bpf.c
+@@ -245,10 +245,14 @@ static int tcf_bpf_init_from_efd(struct
+
+ static void tcf_bpf_cfg_cleanup(const struct tcf_bpf_cfg *cfg)
+ {
+- if (cfg->is_ebpf)
+- bpf_prog_put(cfg->filter);
+- else
+- bpf_prog_destroy(cfg->filter);
++ struct bpf_prog *filter = cfg->filter;
++
++ if (filter) {
++ if (cfg->is_ebpf)
++ bpf_prog_put(filter);
++ else
++ bpf_prog_destroy(filter);
++ }
+
+ kfree(cfg->bpf_ops);
+ kfree(cfg->bpf_name);
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 16 Mar 2018 00:00:55 +0100
+Subject: net/sched: fix NULL dereference in the error path of tunnel_key_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+
+[ Upstream commit abdadd3cfd3e7ea3da61ac774f84777d1f702058 ]
+
+when the following command
+
+ # tc action add action tunnel_key unset index 100
+
+is run for the first time, and tunnel_key_init() fails to allocate struct
+tcf_tunnel_key_params, tunnel_key_release() dereferences NULL pointers.
+This causes the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: tunnel_key_release+0xd/0x40 [act_tunnel_key]
+ PGD 8000000033787067 P4D 8000000033787067 PUD 74646067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ Modules linked in: act_tunnel_key(E) act_csum ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul snd_hda_codec_generic ghash_clmulni_intel snd_hda_intel pcbc snd_hda_codec snd_hda_core snd_hwdep snd_seq aesni_intel snd_seq_device crypto_simd glue_helper snd_pcm cryptd joydev snd_timer pcspkr virtio_balloon snd i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_net virtio_blk drm virtio_console crc32c_intel ata_piix serio_raw i2c_core virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod
+ CPU: 2 PID: 3101 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:tunnel_key_release+0xd/0x40 [act_tunnel_key]
+ RSP: 0018:ffffba46803b7768 EFLAGS: 00010286
+ RAX: ffffffffc09010a0 RBX: 0000000000000000 RCX: 0000000000000024
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99ee336d7480
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
+ R10: 0000000000000220 R11: ffff99ee79d73131 R12: 0000000000000000
+ R13: ffff99ee32d67610 R14: ffff99ee7671dc38 R15: 00000000fffffff4
+ FS: 00007febcb2cd740(0000) GS:ffff99ee7fd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000010 CR3: 000000007c8e4005 CR4: 00000000001606e0
+ Call Trace:
+ __tcf_idr_release+0x79/0xf0
+ tunnel_key_init+0xd9/0x460 [act_tunnel_key]
+ tcf_action_init_1+0x2cc/0x430
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.28+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ __sys_sendmsg+0x51/0x90
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7febca6deba0
+ RSP: 002b:00007ffe7b0dd128 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007ffe7b0dd250 RCX: 00007febca6deba0
+ RDX: 0000000000000000 RSI: 00007ffe7b0dd1a0 RDI: 0000000000000003
+ RBP: 000000005aaa90cb R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007ffe7b0dcba0 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007ffe7b0dd264 R14: 0000000000000001 R15: 0000000000669f60
+ Code: 44 00 00 8b 0d b5 23 00 00 48 8b 87 48 10 00 00 48 8b 3c c8 e9 a5 e5 d8 c3 0f 1f 44 00 00 0f 1f 44 00 00 53 48 8b 9f b0 00 00 00 <83> 7b 10 01 74 0b 48 89 df 31 f6 5b e9 f2 fa 7f c3 48 8b 7b 18
+ RIP: tunnel_key_release+0xd/0x40 [act_tunnel_key] RSP: ffffba46803b7768
+ CR2: 0000000000000010
+
+Fix this in tunnel_key_release(), ensuring 'param' is not NULL before
+dereferencing it.
+
+Fixes: d0f6dd8a914f ("net/sched: Introduce act_tunnel_key")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_tunnel_key.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/sched/act_tunnel_key.c
++++ b/net/sched/act_tunnel_key.c
+@@ -196,11 +196,12 @@ static void tunnel_key_release(struct tc
+ struct tcf_tunnel_key_params *params;
+
+ params = rcu_dereference_protected(t->params, 1);
++ if (params) {
++ if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
++ dst_release(¶ms->tcft_enc_metadata->dst);
+
+- if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
+- dst_release(¶ms->tcft_enc_metadata->dst);
+-
+- kfree_rcu(params, rcu);
++ kfree_rcu(params, rcu);
++ }
+ }
+
+ static int tunnel_key_dump_addresses(struct sk_buff *skb,
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 16 Mar 2018 00:00:57 +0100
+Subject: net/sched: fix NULL dereference on the error path of tcf_skbmod_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+
+[ Upstream commit 2d433610176d6569e8b3a28f67bc72235bf69efc ]
+
+when the following command
+
+ # tc action replace action skbmod swap mac index 100
+
+is run for the first time, and tcf_skbmod_init() fails to allocate struct
+tcf_skbmod_params, tcf_skbmod_cleanup() calls kfree_rcu(NULL), thus
+causing the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: __call_rcu+0x23/0x2b0
+ PGD 8000000034057067 P4D 8000000034057067 PUD 74937067 PMD 0
+ Oops: 0002 [#1] SMP PTI
+ Modules linked in: act_skbmod(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec crct10dif_pclmul mbcache jbd2 crc32_pclmul snd_hda_core ghash_clmulni_intel snd_hwdep pcbc snd_seq snd_seq_device snd_pcm aesni_intel snd_timer crypto_simd glue_helper snd cryptd virtio_balloon joydev soundcore pcspkr i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_console virtio_net virtio_blk ata_piix libata crc32c_intel virtio_pci serio_raw virtio_ring virtio i2c_core floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_skbmod]
+ CPU: 3 PID: 3144 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:__call_rcu+0x23/0x2b0
+ RSP: 0018:ffffbd2e403e7798 EFLAGS: 00010246
+ RAX: ffffffffc0872080 RBX: ffff981d34bff780 RCX: 00000000ffffffff
+ RDX: ffffffff922a5f00 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000021f
+ R10: 000000003d003000 R11: 0000000000aaaaaa R12: 0000000000000000
+ R13: ffffffff922a5f00 R14: 0000000000000001 R15: ffff981d3b698c2c
+ FS: 00007f3678292740(0000) GS:ffff981d3fd80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000008 CR3: 000000007c57a006 CR4: 00000000001606e0
+ Call Trace:
+ __tcf_idr_release+0x79/0xf0
+ tcf_skbmod_init+0x1d1/0x210 [act_skbmod]
+ tcf_action_init_1+0x2cc/0x430
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.28+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ ? filemap_map_pages+0x34a/0x3a0
+ ? __handle_mm_fault+0xbfd/0xe20
+ __sys_sendmsg+0x51/0x90
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7f36776a3ba0
+ RSP: 002b:00007fff4703b618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007fff4703b740 RCX: 00007f36776a3ba0
+ RDX: 0000000000000000 RSI: 00007fff4703b690 RDI: 0000000000000003
+ RBP: 000000005aaaba36 R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007fff4703b0a0 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007fff4703b754 R14: 0000000000000001 R15: 0000000000669f60
+ Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
+ RIP: __call_rcu+0x23/0x2b0 RSP: ffffbd2e403e7798
+ CR2: 0000000000000008
+
+Fix it in tcf_skbmod_cleanup(), ensuring that kfree_rcu(p, ...) is called
+only when p is not NULL.
+
+Fixes: 86da71b57383 ("net_sched: Introduce skbmod action")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_skbmod.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_skbmod.c
++++ b/net/sched/act_skbmod.c
+@@ -192,7 +192,8 @@ static void tcf_skbmod_cleanup(struct tc
+ struct tcf_skbmod_params *p;
+
+ p = rcu_dereference_protected(d->skbmod_p, 1);
+- kfree_rcu(p, rcu);
++ if (p)
++ kfree_rcu(p, rcu);
+ }
+
+ static int tcf_skbmod_dump(struct sk_buff *skb, struct tc_action *a,
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Alexander Potapenko <glider@google.com>
+Date: Fri, 23 Mar 2018 13:49:02 +0100
+Subject: netlink: make sure nladdr has correct size in netlink_connect()
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit 7880287981b60a6808f39f297bb66936e8bdf57a ]
+
+KMSAN reports use of uninitialized memory in the case when |alen| is
+smaller than sizeof(struct sockaddr_nl), and therefore |nladdr| isn't
+fully copied from the userspace.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Fixes: 1da177e4c3f41524 ("Linux-2.6.12-rc2")
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1054,6 +1054,9 @@ static int netlink_connect(struct socket
+ if (addr->sa_family != AF_NETLINK)
+ return -EINVAL;
+
++ if (alen < sizeof(struct sockaddr_nl))
++ return -EINVAL;
++
+ if ((nladdr->nl_groups || nladdr->nl_pid) &&
+ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
+ return -EPERM;
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 2 Apr 2018 18:48:37 -0700
+Subject: pptp: remove a buggy dst release in pptp_connect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit bfacfb457b36911a10140b8cb3ce76a74883ac5a ]
+
+Once dst has been cached in socket via sk_setup_caps(),
+it is illegal to call ip_rt_put() (or dst_release()),
+since sk_setup_caps() did not change dst refcount.
+
+We can still dereference it since we hold socket lock.
+
+Caugth by syzbot :
+
+BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
+BUG: KASAN: use-after-free in dst_release+0x27/0xa0 net/core/dst.c:185
+Write of size 4 at addr ffff8801c54dc040 by task syz-executor4/20088
+
+CPU: 1 PID: 20088 Comm: syz-executor4 Not tainted 4.16.0+ #376
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1a7/0x27d lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x23c/0x360 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
+ kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
+ atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
+ dst_release+0x27/0xa0 net/core/dst.c:185
+ sk_dst_set include/net/sock.h:1812 [inline]
+ sk_dst_reset include/net/sock.h:1824 [inline]
+ sock_setbindtodevice net/core/sock.c:610 [inline]
+ sock_setsockopt+0x431/0x1b20 net/core/sock.c:707
+ SYSC_setsockopt net/socket.c:1845 [inline]
+ SyS_setsockopt+0x2ff/0x360 net/socket.c:1828
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4552d9
+RSP: 002b:00007f4878126c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00007f48781276d4 RCX: 00000000004552d9
+RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000013
+RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000
+R10: 00000000200010c0 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000526 R14: 00000000006fac30 R15: 0000000000000000
+
+Allocated by task 20088:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
+ kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542
+ dst_alloc+0x11f/0x1a0 net/core/dst.c:104
+ rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1520
+ __mkroute_output net/ipv4/route.c:2265 [inline]
+ ip_route_output_key_hash_rcu+0xa49/0x2c60 net/ipv4/route.c:2493
+ ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2322
+ __ip_route_output_key include/net/route.h:126 [inline]
+ ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2577
+ ip_route_output_ports include/net/route.h:163 [inline]
+ pptp_connect+0xa84/0x1170 drivers/net/ppp/pptp.c:453
+ SYSC_connect+0x213/0x4a0 net/socket.c:1639
+ SyS_connect+0x24/0x30 net/socket.c:1620
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Freed by task 20082:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
+ __cache_free mm/slab.c:3486 [inline]
+ kmem_cache_free+0x83/0x2a0 mm/slab.c:3744
+ dst_destroy+0x266/0x380 net/core/dst.c:140
+ dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
+ __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
+ rcu_do_batch kernel/rcu/tree.c:2675 [inline]
+ invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline]
+ __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline]
+ rcu_process_callbacks+0xd6c/0x17b0 kernel/rcu/tree.c:2914
+ __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
+
+The buggy address belongs to the object at ffff8801c54dc000
+ which belongs to the cache ip_dst_cache of size 168
+The buggy address is located 64 bytes inside of
+ 168-byte region [ffff8801c54dc000, ffff8801c54dc0a8)
+The buggy address belongs to the page:
+page:ffffea0007153700 count:1 mapcount:0 mapping:ffff8801c54dc000 index:0x0
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffff8801c54dc000 0000000000000000 0000000100000010
+raw: ffffea0006b34b20 ffffea0006b6c1e0 ffff8801d674a1c0 0000000000000000
+page dumped because: kasan: bad access detected
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pptp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -465,7 +465,6 @@ static int pptp_connect(struct socket *s
+ po->chan.mtu = dst_mtu(&rt->dst);
+ if (!po->chan.mtu)
+ po->chan.mtu = PPP_MRU;
+- ip_rt_put(rt);
+ po->chan.mtu -= PPTP_HEADER_OVERHEAD;
+
+ po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header);
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Mon, 26 Mar 2018 19:19:30 +0200
+Subject: r8169: fix setting driver_data after register_netdev
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+
+[ Upstream commit 19c9ea363a244f85f90a424f9936e6d56449e33c ]
+
+pci_set_drvdata() is called only after registering the net_device,
+therefore we could run into a NPE if one of the functions using
+driver_data is called before it's set.
+
+Fix this by calling pci_set_drvdata() before registering the
+net_device.
+
+This fix is a candidate for stable. As far as I can see the
+bug has been there in kernel version 3.2 already, therefore
+I can't provide a reference which commit is fixed by it.
+
+The fix may need small adjustments per kernel version because
+due to other changes the label which is jumped to if
+register_netdev() fails has changed over time.
+
+Reported-by: David Miller <davem@davemloft.net>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -8446,12 +8446,12 @@ static int rtl_init_one(struct pci_dev *
+ goto err_out_msi_5;
+ }
+
++ pci_set_drvdata(pdev, dev);
++
+ rc = register_netdev(dev);
+ if (rc < 0)
+ goto err_out_cnt_6;
+
+- pci_set_drvdata(pdev, dev);
+-
+ netif_info(tp, probe, dev, "%s at 0x%p, %pM, XID %08x IRQ %d\n",
+ rtl_chip_infos[chipset].name, ioaddr, dev->dev_addr,
+ (u32)(RTL_R32(TxConfig) & 0x9cf0f8ff), pdev->irq);
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 1 Apr 2018 22:40:35 +0800
+Subject: route: check sysctl_fib_multipath_use_neigh earlier than hash
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 6174a30df1b902e1fedbd728f5343937e83e64e6 ]
+
+Prior to this patch, when one packet is hashed into path [1]
+(hash <= nh_upper_bound) and it's neigh is dead, it will try
+path [2]. However, if path [2]'s neigh is alive but it's
+hash > nh_upper_bound, it will not return this alive path.
+This packet will never be sent even if path [2] is alive.
+
+ 3.3.3.1/24:
+ nexthop via 1.1.1.254 dev eth1 weight 1 <--[1] (dead neigh)
+ nexthop via 2.2.2.254 dev eth2 weight 1 <--[2]
+
+With sysctl_fib_multipath_use_neigh set is supposed to find an
+available path respecting to the l3/l4 hash. But if there is
+no available route with this hash, it should at least return
+an alive route even with other hash.
+
+This patch is to fix it by processing fib_multipath_use_neigh
+earlier than the hash check, so that it will at least return
+an alive route if there is when fib_multipath_use_neigh is
+enabled. It's also compatible with before when there are alive
+routes with the l3/l4 hash.
+
+Fixes: a6db4494d218 ("net: ipv4: Consider failed nexthops in multipath routes")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -1611,18 +1611,20 @@ void fib_select_multipath(struct fib_res
+ bool first = false;
+
+ for_nexthops(fi) {
++ if (net->ipv4.sysctl_fib_multipath_use_neigh) {
++ if (!fib_good_nh(nh))
++ continue;
++ if (!first) {
++ res->nh_sel = nhsel;
++ first = true;
++ }
++ }
++
+ if (hash > atomic_read(&nh->nh_upper_bound))
+ continue;
+
+- if (!net->ipv4.sysctl_fib_multipath_use_neigh ||
+- fib_good_nh(nh)) {
+- res->nh_sel = nhsel;
+- return;
+- }
+- if (!first) {
+- res->nh_sel = nhsel;
+- first = true;
+- }
++ res->nh_sel = nhsel;
++ return;
+ } endfor_nexthops(fi);
+ }
+ #endif
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 17:15:22 -0700
+Subject: sctp: do not leak kernel memory to user space
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ]
+
+syzbot produced a nice report [1]
+
+Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory
+to user space, because sin_zero (padding field) was not properly cleared.
+
+[1]
+BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
+BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227
+CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
+ kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
+ copy_to_user include/linux/uaccess.h:184 [inline]
+ move_addr_to_user+0x32e/0x530 net/socket.c:227
+ ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+ SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
+ SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x4401c9
+RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9
+RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0
+R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----addr@___sys_recvmsg
+Variable was created at:
+ ___sys_recvmsg+0xd5/0x810 net/socket.c:2172
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+
+Bytes 8-15 of 16 are uninitialized
+
+==================================================================
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ panic+0x39d/0x940 kernel/panic.c:183
+ kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
+ kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
+ kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
+ copy_to_user include/linux/uaccess.h:184 [inline]
+ move_addr_to_user+0x32e/0x530 net/socket.c:227
+ ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+ SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
+ SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -727,8 +727,10 @@ static int sctp_v6_addr_to_user(struct s
+ sctp_v6_map_v4(addr);
+ }
+
+- if (addr->sa.sa_family == AF_INET)
++ if (addr->sa.sa_family == AF_INET) {
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ return sizeof(struct sockaddr_in);
++ }
+ return sizeof(struct sockaddr_in6);
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 8 Apr 2018 07:52:08 -0700
+Subject: sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ]
+
+Check must happen before call to ipv6_addr_v4mapped()
+
+syzbot report was :
+
+BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline]
+BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
+CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ sctp_sockaddr_af net/sctp/socket.c:359 [inline]
+ sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
+ sctp_bind+0x149/0x190 net/sctp/socket.c:332
+ inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293
+ SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
+ SyS_bind+0x54/0x80 net/socket.c:1460
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43fd49
+RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49
+RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670
+R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----address@SYSC_bind
+Variable was created at:
+ SYSC_bind+0x6f/0x4b0 net/socket.c:1461
+ SyS_bind+0x54/0x80 net/socket.c:1460
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -335,11 +335,14 @@ static struct sctp_af *sctp_sockaddr_af(
+ if (!opt->pf->af_supported(addr->sa.sa_family, opt))
+ return NULL;
+
+- /* V4 mapped address are really of AF_INET family */
+- if (addr->sa.sa_family == AF_INET6 &&
+- ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
+- !opt->pf->af_supported(AF_INET, opt))
+- return NULL;
++ if (addr->sa.sa_family == AF_INET6) {
++ if (len < SIN6_LEN_RFC2133)
++ return NULL;
++ /* V4 mapped address are really of AF_INET family */
++ if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
++ !opt->pf->af_supported(AF_INET, opt))
++ return NULL;
++ }
+
+ /* If we get this far, af is valid. */
+ af = sctp_get_af_specific(addr->sa.sa_family);
virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch
random-use-lockless-method-of-accessing-and-updating-f-reg_idx.patch
clk-at91-fix-clk-generated-compilation.patch
+arp-fix-arp_filter-on-l3slave-devices.patch
+ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch
+net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch
+net-ipv6-fix-route-leaking-between-vrfs.patch
+net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch
+netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch
+net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch
+pptp-remove-a-buggy-dst-release-in-pptp_connect.patch
+r8169-fix-setting-driver_data-after-register_netdev.patch
+sctp-do-not-leak-kernel-memory-to-user-space.patch
+sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch
+sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch
+vhost-correctly-remove-wait-queue-during-poll-failure.patch
+vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch
+bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch
+bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch
+bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch
+net-fool-proof-dev_valid_name.patch
+ip_tunnel-better-validate-user-provided-tunnel-names.patch
+ipv6-sit-better-validate-user-provided-tunnel-names.patch
+ip6_gre-better-validate-user-provided-tunnel-names.patch
+ip6_tunnel-better-validate-user-provided-tunnel-names.patch
+vti6-better-validate-user-provided-tunnel-names.patch
+net-mlx5e-sync-netdev-vxlan-ports-at-open.patch
+net-sched-fix-null-dereference-in-the-error-path-of-tunnel_key_init.patch
+net-sched-fix-null-dereference-on-the-error-path-of-tcf_skbmod_init.patch
+net-mlx4_en-fix-mixed-pfc-and-global-pause-user-control-requests.patch
+vhost-validate-log-when-iotlb-is-enabled.patch
+route-check-sysctl_fib_multipath_use_neigh-earlier-than-hash.patch
+team-move-dev_mc_sync-after-master_upper_dev_link-in-team_port_add.patch
+vhost_net-add-missing-lock-nesting-notation.patch
+net-mlx4_core-fix-memory-leak-while-delete-slave-s-resources.patch
+strparser-fix-sign-of-err-codes.patch
+net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Sat, 31 Mar 2018 23:42:03 +0800
+Subject: sky2: Increase D3 delay to sky2 stops working after suspend
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+
+[ Upstream commit afb133637071be6deeb8b3d0e55593ffbf63c527 ]
+
+The sky2 ethernet stops working after system resume from suspend:
+[ 582.852065] sky2 0000:04:00.0: Refused to change power state, currently in D3
+
+The current 150ms delay is not enough, change it to 200ms can solve the
+issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1758507
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -5079,7 +5079,7 @@ static int sky2_probe(struct pci_dev *pd
+ INIT_WORK(&hw->restart_work, sky2_restart);
+
+ pci_set_drvdata(pdev, hw);
+- pdev->d3_delay = 150;
++ pdev->d3_delay = 200;
+
+ return 0;
+
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Dave Watson <davejwatson@fb.com>
+Date: Mon, 26 Mar 2018 12:31:21 -0700
+Subject: strparser: Fix sign of err codes
+
+From: Dave Watson <davejwatson@fb.com>
+
+
+[ Upstream commit cd00edc179863848abab5cc5683de5b7b5f70954 ]
+
+strp_parser_err is called with a negative code everywhere, which then
+calls abort_parser with a negative code. strp_msg_timeout calls
+abort_parser directly with a positive code. Negate ETIMEDOUT
+to match signed-ness of other calls.
+
+The default abort_parser callback, strp_abort_strp, sets
+sk->sk_err to err. Also negate the error here so sk_err always
+holds a positive value, as the rest of the net code expects. Currently
+a negative sk_err can result in endless loops, or user code that
+thinks it actually sent/received err bytes.
+
+Found while testing net/tls_sw recv path.
+
+Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
+Signed-off-by: Dave Watson <davejwatson@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -59,7 +59,7 @@ static void strp_abort_rx_strp(struct st
+ strp->rx_stopped = 1;
+
+ /* Report an error on the lower socket */
+- csk->sk_err = err;
++ csk->sk_err = -err;
+ csk->sk_error_report(csk);
+ }
+
+@@ -422,7 +422,7 @@ static void strp_rx_msg_timeout(unsigned
+ /* Message assembly timed out */
+ STRP_STATS_INCR(strp->stats.rx_msg_timeouts);
+ lock_sock(strp->sk);
+- strp->cb.abort_parser(strp, ETIMEDOUT);
++ strp->cb.abort_parser(strp, -ETIMEDOUT);
+ release_sock(strp->sk);
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:25:06 +0800
+Subject: team: move dev_mc_sync after master_upper_dev_link in team_port_add
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 982cf3b3999d39a2eaca0a65542df33c19b5d814 ]
+
+The same fix as in 'bonding: move dev_mc_sync after master_upper_dev_link
+in bond_enslave' is needed for team driver.
+
+The panic can be reproduced easily:
+
+ ip link add team1 type team
+ ip link set team1 up
+ ip link add link team1 vlan1 type vlan id 80
+ ip link set vlan1 master team1
+
+Fixes: cb41c997d444 ("team: team should sync the port's uc/mc addrs when add a port")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1203,11 +1203,6 @@ static int team_port_add(struct team *te
+ goto err_dev_open;
+ }
+
+- netif_addr_lock_bh(dev);
+- dev_uc_sync_multiple(port_dev, dev);
+- dev_mc_sync_multiple(port_dev, dev);
+- netif_addr_unlock_bh(dev);
+-
+ err = vlan_vids_add_by_dev(port_dev, dev);
+ if (err) {
+ netdev_err(dev, "Failed to add vlan ids to device %s\n",
+@@ -1247,6 +1242,11 @@ static int team_port_add(struct team *te
+ goto err_option_port_add;
+ }
+
++ netif_addr_lock_bh(dev);
++ dev_uc_sync_multiple(port_dev, dev);
++ dev_mc_sync_multiple(port_dev, dev);
++ netif_addr_unlock_bh(dev);
++
+ port->index = -1;
+ list_add_tail_rcu(&port->list, &team->port_list);
+ team_port_enable(team, port);
+@@ -1271,8 +1271,6 @@ err_enable_netpoll:
+ vlan_vids_del_by_dev(port_dev, dev);
+
+ err_vids_add:
+- dev_uc_unsync(port_dev, dev);
+- dev_mc_unsync(port_dev, dev);
+ dev_close(port_dev);
+
+ err_dev_open:
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 27 Mar 2018 20:50:52 +0800
+Subject: vhost: correctly remove wait queue during poll failure
+
+From: Jason Wang <jasowang@redhat.com>
+
+
+[ Upstream commit dc6455a71c7fc5117977e197f67f71b49f27baba ]
+
+We tried to remove vq poll from wait queue, but do not check whether
+or not it was in a list before. This will lead double free. Fixing
+this by switching to use vhost_poll_stop() which zeros poll->wqh after
+removing poll from waitqueue to make sure it won't be freed twice.
+
+Cc: Darren Kenny <darren.kenny@oracle.com>
+Reported-by: syzbot+c0272972b01b872e604a@syzkaller.appspotmail.com
+Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -211,8 +211,7 @@ int vhost_poll_start(struct vhost_poll *
+ if (mask)
+ vhost_poll_wakeup(&poll->wait, 0, 0, (void *)mask);
+ if (mask & POLLERR) {
+- if (poll->wqh)
+- remove_wait_queue(poll->wqh, &poll->wait);
++ vhost_poll_stop(poll);
+ ret = -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 29 Mar 2018 16:00:04 +0800
+Subject: vhost: validate log when IOTLB is enabled
+
+From: Jason Wang <jasowang@redhat.com>
+
+
+[ Upstream commit d65026c6c62e7d9616c8ceb5a53b68bcdc050525 ]
+
+Vq log_base is the userspace address of bitmap which has nothing to do
+with IOTLB. So it needs to be validated unconditionally otherwise we
+may try use 0 as log_base which may lead to pin pages that will lead
+unexpected result (e.g trigger BUG_ON() in set_bit_to_user()).
+
+Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API")
+Reported-by: syzbot+6304bf97ef436580fede@syzkaller.appspotmail.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1175,14 +1175,12 @@ static int vq_log_access_ok(struct vhost
+ /* Caller should have vq mutex and device mutex */
+ int vhost_vq_access_ok(struct vhost_virtqueue *vq)
+ {
+- if (vq->iotlb) {
+- /* When device IOTLB was used, the access validation
+- * will be validated during prefetching.
+- */
+- return 1;
+- }
+- return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used) &&
+- vq_log_access_ok(vq, vq->log_base);
++ int ret = vq_log_access_ok(vq, vq->log_base);
++
++ if (ret || vq->iotlb)
++ return ret;
++
++ return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used);
+ }
+ EXPORT_SYMBOL_GPL(vhost_vq_access_ok);
+
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 26 Mar 2018 16:10:23 +0800
+Subject: vhost_net: add missing lock nesting notation
+
+From: Jason Wang <jasowang@redhat.com>
+
+
+[ Upstream commit aaa3149bbee9ba9b4e6f0bd6e3e7d191edeae942 ]
+
+We try to hold TX virtqueue mutex in vhost_net_rx_peek_head_len()
+after RX virtqueue mutex is held in handle_rx(). This requires an
+appropriate lock nesting notation to calm down deadlock detector.
+
+Fixes: 0308813724606 ("vhost_net: basic polling support")
+Reported-by: syzbot+7f073540b1384a614e09@syzkaller.appspotmail.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -524,7 +524,7 @@ static int vhost_net_rx_peek_head_len(st
+
+ if (!len && vq->busyloop_timeout) {
+ /* Both tx vq and rx socket were polled here */
+- mutex_lock(&vq->mutex);
++ mutex_lock_nested(&vq->mutex, 1);
+ vhost_disable_notify(&net->dev, vq);
+
+ preempt_disable();
+@@ -657,7 +657,7 @@ static void handle_rx(struct vhost_net *
+ struct iov_iter fixup;
+ __virtio16 num_buffers;
+
+- mutex_lock(&vq->mutex);
++ mutex_lock_nested(&vq->mutex, 0);
+ sock = vq->private_data;
+ if (!sock)
+ goto out;
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 30 Mar 2018 09:44:00 +0800
+Subject: vlan: also check phy_driver ts_info for vlan's real device
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit ec1d8ccb07deaf30fd0508af6755364ac47dc08d ]
+
+Just like function ethtool_get_ts_info(), we should also consider the
+phy_driver ts_info call back. For example, driver dp83640.
+
+Fixes: 37dd9255b2f6 ("vlan: Pass ethtool get_ts_info queries to real device.")
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -29,6 +29,7 @@
+ #include <linux/net_tstamp.h>
+ #include <linux/etherdevice.h>
+ #include <linux/ethtool.h>
++#include <linux/phy.h>
+ #include <net/arp.h>
+ #include <net/switchdev.h>
+
+@@ -658,8 +659,11 @@ static int vlan_ethtool_get_ts_info(stru
+ {
+ const struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+ const struct ethtool_ops *ops = vlan->real_dev->ethtool_ops;
++ struct phy_device *phydev = vlan->real_dev->phydev;
+
+- if (ops->get_ts_info) {
++ if (phydev && phydev->drv && phydev->drv->ts_info) {
++ return phydev->drv->ts_info(phydev, info);
++ } else if (ops->get_ts_info) {
+ return ops->get_ts_info(vlan->real_dev, info);
+ } else {
+ info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
--- /dev/null
+From foo@baz Wed Apr 11 10:26:56 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:31 -0700
+Subject: vti6: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 537b361fbcbcc3cd6fe2bb47069fd292b9256d16 ]
+
+Use valid_name() to make sure user does not provide illegal
+device name.
+
+Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -212,10 +212,13 @@ static struct ip6_tnl *vti6_tnl_create(s
+ char name[IFNAMSIZ];
+ int err;
+
+- if (p->name[0])
++ if (p->name[0]) {
++ if (!dev_valid_name(p->name))
++ goto failed;
+ strlcpy(name, p->name, IFNAMSIZ);
+- else
++ } else {
+ sprintf(name, "ip6_vti%%d");
++ }
+
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup);
+ if (!dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
