--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Fri, 12 Apr 2019 15:04:10 +0200
+Subject: bonding: fix event handling for stacked bonds
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 92480b3977fd3884649d404cbbaf839b70035699 ]
+
+When a bond is enslaved to another bond, bond_netdev_event() only
+handles the event as if the bond is a master, and skips treating the
+bond as a slave.
+
+This leads to a refcount leak on the slave, since we don't remove the
+adjacency to its master and the master holds a reference on the slave.
+
+Reproducer:
+ ip link add bondL type bond
+ ip link add bondU type bond
+ ip link set bondL master bondU
+ ip link del bondL
+
+No "Fixes:" tag, this code is older than git history.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3134,8 +3134,12 @@ static int bond_netdev_event(struct noti
+ return NOTIFY_DONE;
+
+ if (event_dev->flags & IFF_MASTER) {
++ int ret;
++
+ netdev_dbg(event_dev, "IFF_MASTER\n");
+- return bond_master_netdev_event(event, event_dev);
++ ret = bond_master_netdev_event(event, event_dev);
++ if (ret != NOTIFY_DONE)
++ return ret;
+ }
+
+ if (event_dev->flags & IFF_SLAVE) {
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 13 Apr 2019 17:32:21 -0700
+Subject: ipv4: ensure rcu_read_lock() in ipv4_link_failure()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ]
+
+fib_compute_spec_dst() needs to be called under rcu protection.
+
+syzbot reported :
+
+WARNING: suspicious RCU usage
+5.1.0-rc4+ #165 Not tainted
+include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by swapper/0/0:
+ #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline]
+ #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315
+
+stack backtrace:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162
+ __in_dev_get_rcu include/linux/inetdevice.h:220 [inline]
+ fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294
+ spec_dst_fill net/ipv4/ip_options.c:245 [inline]
+ __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343
+ ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195
+ dst_link_failure include/net/dst.h:427 [inline]
+ arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
+ neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
+ neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
+ call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
+ expire_timers kernel/time/timer.c:1362 [inline]
+ __run_timers kernel/time/timer.c:1681 [inline]
+ __run_timers kernel/time/timer.c:1649 [inline]
+ run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
+ __do_softirq+0x266/0x95a kernel/softirq.c:293
+ invoke_softirq kernel/softirq.c:374 [inline]
+ irq_exit+0x180/0x1d0 kernel/softirq.c:414
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
+
+Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1170,14 +1170,20 @@ static struct dst_entry *ipv4_dst_check(
+
+ static void ipv4_link_failure(struct sk_buff *skb)
+ {
+- struct rtable *rt;
+ struct ip_options opt;
++ struct rtable *rt;
++ int res;
+
+ /* Recompile ip options since IPCB may not be valid anymore.
+ */
+ memset(&opt, 0, sizeof(opt));
+ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
+- if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
++
++ rcu_read_lock();
++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
++ rcu_read_unlock();
++
++ if (res)
+ return;
+
+ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+Date: Fri, 12 Apr 2019 16:19:27 -0400
+Subject: ipv4: recompile ip options in ipv4_link_failure
+
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+
+[ Upstream commit ed0de45a1008991fdaa27a0152befcb74d126a8b ]
+
+Recompile IP options since IPCB may not be valid anymore when
+ipv4_link_failure is called from arp_error_report.
+
+Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error")
+and the commit before that (9ef6b42ad6fd) for a similar issue.
+
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1171,8 +1171,16 @@ static struct dst_entry *ipv4_dst_check(
+ static void ipv4_link_failure(struct sk_buff *skb)
+ {
+ struct rtable *rt;
++ struct ip_options opt;
+
+- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
++ /* Recompile ip options since IPCB may not be valid anymore.
++ */
++ memset(&opt, 0, sizeof(opt));
++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
++ if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
++ return;
++
++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
+
+ rt = skb_rtable(skb);
+ if (rt)
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 15 Apr 2019 15:57:23 -0500
+Subject: net: atm: Fix potential Spectre v1 vulnerabilities
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 899537b73557aafbdd11050b501cf54b4f5c45af ]
+
+arg is controlled by user-space, hence leading to a potential
+exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap)
+
+Fix this by sanitizing arg before using it to index dev_lec.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/atm/lec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/atm/lec.c
++++ b/net/atm/lec.c
+@@ -721,7 +721,10 @@ static int lec_vcc_attach(struct atm_vcc
+
+ static int lec_mcast_attach(struct atm_vcc *vcc, int arg)
+ {
+- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg])
++ if (arg < 0 || arg >= MAX_LEC_ITF)
++ return -EINVAL;
++ arg = array_index_nospec(arg, MAX_LEC_ITF);
++ if (!dev_lec[arg])
+ return -EINVAL;
+ vcc->proto_data = dev_lec[arg];
+ return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc);
+@@ -739,6 +742,7 @@ static int lecd_attach(struct atm_vcc *v
+ i = arg;
+ if (arg >= MAX_LEC_ITF)
+ return -EINVAL;
++ i = array_index_nospec(arg, MAX_LEC_ITF);
+ if (!dev_lec[i]) {
+ int size;
+
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 11 Apr 2019 13:56:39 +0300
+Subject: net: bridge: fix per-port af_packet sockets
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 3b2e2904deb314cc77a2192f506f2fd44e3d10d0 ]
+
+When the commit below was introduced it changed two visible things:
+ - the skb was no longer passed through the protocol handlers with the
+ original device
+ - the skb was passed up the stack with skb->dev = bridge
+
+The first change broke af_packet sockets on bridge ports. For example we
+use them for hostapd which listens for ETH_P_PAE packets on the ports.
+We discussed two possible fixes:
+ - create a clone and pass it through NF_HOOK(), act on the original skb
+ based on the result
+ - somehow signal to the caller from the okfn() that it was called,
+ meaning the skb is ok to be passed, which this patch is trying to
+ implement via returning 1 from the bridge link-local okfn()
+
+Note that we rely on the fact that NF_QUEUE/STOLEN would return 0 and
+drop/error would return < 0 thus the okfn() is called only when the
+return was 1, so we signal to the caller that it was called by preserving
+the return value from nf_hook().
+
+Fixes: 8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_input.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -231,13 +231,10 @@ static void __br_handle_local_finish(str
+ /* note: already called with rcu_read_lock */
+ static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+- struct net_bridge_port *p = br_port_get_rcu(skb->dev);
+-
+ __br_handle_local_finish(skb);
+
+- BR_INPUT_SKB_CB(skb)->brdev = p->br->dev;
+- br_pass_frame_up(skb);
+- return 0;
++ /* return 1 to signal the okfn() was called so it's ok to use the skb */
++ return 1;
+ }
+
+ /*
+@@ -308,10 +305,18 @@ rx_handler_result_t br_handle_frame(stru
+ goto forward;
+ }
+
+- /* Deliver packet to local host only */
+- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(skb->dev),
+- NULL, skb, skb->dev, NULL, br_handle_local_finish);
+- return RX_HANDLER_CONSUMED;
++ /* The else clause should be hit when nf_hook():
++ * - returns < 0 (drop/error)
++ * - returns = 0 (stolen/nf_queue)
++ * Thus return 1 from the okfn() to signal the skb is ok to pass
++ */
++ if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
++ dev_net(skb->dev), NULL, skb, skb->dev, NULL,
++ br_handle_local_finish) == 1) {
++ return RX_HANDLER_PASS;
++ } else {
++ return RX_HANDLER_CONSUMED;
++ }
+ }
+
+ forward:
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 11 Apr 2019 15:08:25 +0300
+Subject: net: bridge: multicast: use rcu to access port list from br_multicast_start_querier
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 ]
+
+br_multicast_start_querier() walks over the port list but it can be
+called from a timer with only multicast_lock held which doesn't protect
+the port list, so use RCU to walk over it.
+
+Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1983,7 +1983,8 @@ static void br_multicast_start_querier(s
+
+ __br_multicast_open(br, query);
+
+- list_for_each_entry(port, &br->port_list, list) {
++ rcu_read_lock();
++ list_for_each_entry_rcu(port, &br->port_list, list) {
+ if (port->state == BR_STATE_DISABLED ||
+ port->state == BR_STATE_BLOCKING)
+ continue;
+@@ -1995,6 +1996,7 @@ static void br_multicast_start_querier(s
+ br_multicast_enable(&port->ip6_own_query);
+ #endif
+ }
++ rcu_read_unlock();
+ }
+
+ int br_multicast_toggle(struct net_bridge *br, unsigned long val)
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Tue, 9 Apr 2019 11:47:20 +0200
+Subject: net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 988dc4a9a3b66be75b30405a5494faf0dc7cffb6 ]
+
+gue tunnels run iptunnel_pull_offloads on received skbs. This can
+determine a possible use-after-free accessing guehdr pointer since
+the packet will be 'uncloned' running pskb_expand_head if it is a
+cloned gso skb (e.g if the packet has been sent though a veth device)
+
+Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fou.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -119,6 +119,7 @@ static int gue_udp_recv(struct sock *sk,
+ struct guehdr *guehdr;
+ void *data;
+ u16 doffset = 0;
++ u8 proto_ctype;
+
+ if (!fou)
+ return 1;
+@@ -210,13 +211,14 @@ static int gue_udp_recv(struct sock *sk,
+ if (unlikely(guehdr->control))
+ return gue_control_message(skb, guehdr);
+
++ proto_ctype = guehdr->proto_ctype;
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+ if (iptunnel_pull_offloads(skb))
+ goto drop;
+
+- return -guehdr->proto_ctype;
++ return -proto_ctype;
+
+ drop:
+ kfree_skb(skb);
--- /dev/null
+bonding-fix-event-handling-for-stacked-bonds.patch
+net-atm-fix-potential-spectre-v1-vulnerabilities.patch
+net-bridge-fix-per-port-af_packet-sockets.patch
+net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch
+net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch
+tcp-tcp_grow_window-needs-to-respect-tcp_space.patch
+team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch
+vhost-reject-zero-size-iova-range.patch
+ipv4-recompile-ip-options-in-ipv4_link_failure.patch
+ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 16 Apr 2019 10:55:20 -0700
+Subject: tcp: tcp_grow_window() needs to respect tcp_space()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 50ce163a72d817a99e8974222dcf2886d5deb1ae ]
+
+For some reason, tcp_grow_window() correctly tests if enough room
+is present before attempting to increase tp->rcv_ssthresh,
+but does not prevent it to grow past tcp_space()
+
+This is causing hard to debug issues, like failing
+the (__tcp_select_window(sk) >= tp->rcv_wnd) test
+in __tcp_ack_snd_check(), causing ACK delays and possibly
+slow flows.
+
+Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio,
+we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000"
+after about 60 round trips, when the active side no longer sends
+immediate acks.
+
+This bug predates git history.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -389,11 +389,12 @@ static int __tcp_grow_window(const struc
+ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
++ int room;
++
++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh;
+
+ /* Check #1 */
+- if (tp->rcv_ssthresh < tp->window_clamp &&
+- (int)tp->rcv_ssthresh < tcp_space(sk) &&
+- !tcp_under_memory_pressure(sk)) {
++ if (room > 0 && !tcp_under_memory_pressure(sk)) {
+ int incr;
+
+ /* Check #2. Increase window, if skb with such overhead
+@@ -406,8 +407,7 @@ static void tcp_grow_window(struct sock
+
+ if (incr) {
+ incr = max_t(int, incr, 2 * skb->len);
+- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr,
+- tp->window_clamp);
++ tp->rcv_ssthresh += min(room, incr);
+ inet_csk(sk)->icsk_ack.quick |= 1;
+ }
+ }
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 8 Apr 2019 16:45:17 +0800
+Subject: team: set slave to promisc if team is already in promisc mode
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 43c2adb9df7ddd6560fd3546d925b42cef92daa0 ]
+
+After adding a team interface to bridge, the team interface will enter
+promisc mode. Then if we add a new slave to team0, the slave will keep
+promisc off. Fix it by setting slave to promisc on if team master is
+already in promisc mode, also do the same for allmulti.
+
+v2: add promisc and allmulti checking when delete ports
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1251,6 +1251,23 @@ static int team_port_add(struct team *te
+ goto err_option_port_add;
+ }
+
++ /* set promiscuity level to new slave */
++ if (dev->flags & IFF_PROMISC) {
++ err = dev_set_promiscuity(port_dev, 1);
++ if (err)
++ goto err_set_slave_promisc;
++ }
++
++ /* set allmulti level to new slave */
++ if (dev->flags & IFF_ALLMULTI) {
++ err = dev_set_allmulti(port_dev, 1);
++ if (err) {
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ goto err_set_slave_promisc;
++ }
++ }
++
+ netif_addr_lock_bh(dev);
+ dev_uc_sync_multiple(port_dev, dev);
+ dev_mc_sync_multiple(port_dev, dev);
+@@ -1267,6 +1284,9 @@ static int team_port_add(struct team *te
+
+ return 0;
+
++err_set_slave_promisc:
++ __team_option_inst_del_port(team, port);
++
+ err_option_port_add:
+ team_upper_dev_unlink(team, port);
+
+@@ -1312,6 +1332,12 @@ static int team_port_del(struct team *te
+
+ team_port_disable(team, port);
+ list_del_rcu(&port->list);
++
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ if (dev->flags & IFF_ALLMULTI)
++ dev_set_allmulti(port_dev, -1);
++
+ team_upper_dev_unlink(team, port);
+ netdev_rx_handler_unregister(port_dev);
+ team_port_disable_netpoll(port);
--- /dev/null
+From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 9 Apr 2019 12:10:25 +0800
+Subject: vhost: reject zero size iova range
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 813dbeb656d6c90266f251d8bd2b02d445afa63f ]
+
+We used to accept zero size iova range which will lead a infinite loop
+in translate_desc(). Fixing this by failing the request in this case.
+
+Reported-by: syzbot+d21e6e297322a900c128@syzkaller.appspotmail.com
+Fixes: 6b1e6cc7 ("vhost: new device IOTLB API")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -863,8 +863,12 @@ static int vhost_new_umem_range(struct v
+ u64 start, u64 size, u64 end,
+ u64 userspace_addr, int perm)
+ {
+- struct vhost_umem_node *tmp, *node = kmalloc(sizeof(*node), GFP_ATOMIC);
++ struct vhost_umem_node *tmp, *node;
+
++ if (!size)
++ return -EFAULT;
++
++ node = kmalloc(sizeof(*node), GFP_ATOMIC);
+ if (!node)
+ return -ENOMEM;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
