--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 14 Aug 2017 10:16:45 -0700
+Subject: af_key: do not use GFP_KERNEL in atomic contexts
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 36f41f8fc6d8aa9f8c9072d66ff7cf9055f5e69b ]
+
+pfkey_broadcast() might be called from non process contexts,
+we can not use GFP_KERNEL in these cases [1].
+
+This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
+af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
+section.
+
+[1] : syzkaller reported :
+
+in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
+3 locks held by syzkaller183439/2932:
+ #0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
+ #1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
+ #2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
+ #2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
+CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:52
+ ___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
+ __might_sleep+0x95/0x190 kernel/sched/core.c:5947
+ slab_pre_alloc_hook mm/slab.h:416 [inline]
+ slab_alloc mm/slab.c:3383 [inline]
+ kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
+ skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
+ pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
+ pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
+ dump_sp+0x3d6/0x500 net/key/af_key.c:2685
+ xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
+ pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
+ pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
+ pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
+ pfkey_process+0x606/0x710 net/key/af_key.c:2814
+ pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
+sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ ___sys_sendmsg+0x755/0x890 net/socket.c:2035
+ __sys_sendmsg+0xe5/0x210 net/socket.c:2069
+ SYSC_sendmsg net/socket.c:2080 [inline]
+ SyS_sendmsg+0x2d/0x50 net/socket.c:2076
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+RIP: 0033:0x445d79
+RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
+RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
+RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
+R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
+R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
+
+Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/key/af_key.c | 48 ++++++++++++++++++++++++++----------------------
+ 1 file changed, 26 insertions(+), 22 deletions(-)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -228,7 +228,7 @@ static int pfkey_broadcast_one(struct sk
+ #define BROADCAST_ONE 1
+ #define BROADCAST_REGISTERED 2
+ #define BROADCAST_PROMISC_ONLY 4
+-static int pfkey_broadcast(struct sk_buff *skb,
++static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
+ int broadcast_flags, struct sock *one_sk,
+ struct net *net)
+ {
+@@ -278,7 +278,7 @@ static int pfkey_broadcast(struct sk_buf
+ rcu_read_unlock();
+
+ if (one_sk != NULL)
+- err = pfkey_broadcast_one(skb, &skb2, GFP_KERNEL, one_sk);
++ err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk);
+
+ kfree_skb(skb2);
+ kfree_skb(skb);
+@@ -311,7 +311,7 @@ static int pfkey_do_dump(struct pfkey_so
+ hdr = (struct sadb_msg *) pfk->dump.skb->data;
+ hdr->sadb_msg_seq = 0;
+ hdr->sadb_msg_errno = rc;
+- pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
++ pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
+ &pfk->sk, sock_net(&pfk->sk));
+ pfk->dump.skb = NULL;
+ }
+@@ -355,7 +355,7 @@ static int pfkey_error(const struct sadb
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) /
+ sizeof(uint64_t));
+
+- pfkey_broadcast(skb, BROADCAST_ONE, sk, sock_net(sk));
++ pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ONE, sk, sock_net(sk));
+
+ return 0;
+ }
+@@ -1396,7 +1396,7 @@ static int pfkey_getspi(struct sock *sk,
+
+ xfrm_state_put(x);
+
+- pfkey_broadcast(resp_skb, BROADCAST_ONE, sk, net);
++ pfkey_broadcast(resp_skb, GFP_KERNEL, BROADCAST_ONE, sk, net);
+
+ return 0;
+ }
+@@ -1483,7 +1483,7 @@ static int key_notify_sa(struct xfrm_sta
+ hdr->sadb_msg_seq = c->seq;
+ hdr->sadb_msg_pid = c->portid;
+
+- pfkey_broadcast(skb, BROADCAST_ALL, NULL, xs_net(x));
++ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xs_net(x));
+
+ return 0;
+ }
+@@ -1596,7 +1596,7 @@ static int pfkey_get(struct sock *sk, st
+ out_hdr->sadb_msg_reserved = 0;
+ out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
+ out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
+- pfkey_broadcast(out_skb, BROADCAST_ONE, sk, sock_net(sk));
++ pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
+
+ return 0;
+ }
+@@ -1701,8 +1701,8 @@ static int pfkey_register(struct sock *s
+ return -ENOBUFS;
+ }
+
+- pfkey_broadcast(supp_skb, BROADCAST_REGISTERED, sk, sock_net(sk));
+-
++ pfkey_broadcast(supp_skb, GFP_KERNEL, BROADCAST_REGISTERED, sk,
++ sock_net(sk));
+ return 0;
+ }
+
+@@ -1720,7 +1720,8 @@ static int unicast_flush_resp(struct soc
+ hdr->sadb_msg_errno = (uint8_t) 0;
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+
+- return pfkey_broadcast(skb, BROADCAST_ONE, sk, sock_net(sk));
++ return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk,
++ sock_net(sk));
+ }
+
+ static int key_notify_sa_flush(const struct km_event *c)
+@@ -1741,7 +1742,7 @@ static int key_notify_sa_flush(const str
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+ hdr->sadb_msg_reserved = 0;
+
+- pfkey_broadcast(skb, BROADCAST_ALL, NULL, c->net);
++ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+
+ return 0;
+ }
+@@ -1798,7 +1799,7 @@ static int dump_sa(struct xfrm_state *x,
+ out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
+
+ if (pfk->dump.skb)
+- pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
++ pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
+ &pfk->sk, sock_net(&pfk->sk));
+ pfk->dump.skb = out_skb;
+
+@@ -1886,7 +1887,7 @@ static int pfkey_promisc(struct sock *sk
+ new_hdr->sadb_msg_errno = 0;
+ }
+
+- pfkey_broadcast(skb, BROADCAST_ALL, NULL, sock_net(sk));
++ pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ALL, NULL, sock_net(sk));
+ return 0;
+ }
+
+@@ -2219,7 +2220,7 @@ static int key_notify_policy(struct xfrm
+ out_hdr->sadb_msg_errno = 0;
+ out_hdr->sadb_msg_seq = c->seq;
+ out_hdr->sadb_msg_pid = c->portid;
+- pfkey_broadcast(out_skb, BROADCAST_ALL, NULL, xp_net(xp));
++ pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xp_net(xp));
+ return 0;
+
+ }
+@@ -2439,7 +2440,7 @@ static int key_pol_get_resp(struct sock
+ out_hdr->sadb_msg_errno = 0;
+ out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
+ out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
+- pfkey_broadcast(out_skb, BROADCAST_ONE, sk, xp_net(xp));
++ pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, xp_net(xp));
+ err = 0;
+
+ out:
+@@ -2695,7 +2696,7 @@ static int dump_sp(struct xfrm_policy *x
+ out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
+
+ if (pfk->dump.skb)
+- pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
++ pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
+ &pfk->sk, sock_net(&pfk->sk));
+ pfk->dump.skb = out_skb;
+
+@@ -2752,7 +2753,7 @@ static int key_notify_policy_flush(const
+ hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+ hdr->sadb_msg_reserved = 0;
+- pfkey_broadcast(skb_out, BROADCAST_ALL, NULL, c->net);
++ pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ return 0;
+
+ }
+@@ -2814,7 +2815,7 @@ static int pfkey_process(struct sock *sk
+ void *ext_hdrs[SADB_EXT_MAX];
+ int err;
+
+- pfkey_broadcast(skb_clone(skb, GFP_KERNEL),
++ pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
+ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
+
+ memset(ext_hdrs, 0, sizeof(ext_hdrs));
+@@ -3036,7 +3037,8 @@ static int key_notify_sa_expire(struct x
+ out_hdr->sadb_msg_seq = 0;
+ out_hdr->sadb_msg_pid = 0;
+
+- pfkey_broadcast(out_skb, BROADCAST_REGISTERED, NULL, xs_net(x));
++ pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
++ xs_net(x));
+ return 0;
+ }
+
+@@ -3226,7 +3228,8 @@ static int pfkey_send_acquire(struct xfr
+ xfrm_ctx->ctx_len);
+ }
+
+- return pfkey_broadcast(skb, BROADCAST_REGISTERED, NULL, xs_net(x));
++ return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
++ xs_net(x));
+ }
+
+ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
+@@ -3424,7 +3427,8 @@ static int pfkey_send_new_mapping(struct
+ n_port->sadb_x_nat_t_port_port = sport;
+ n_port->sadb_x_nat_t_port_reserved = 0;
+
+- return pfkey_broadcast(skb, BROADCAST_REGISTERED, NULL, xs_net(x));
++ return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
++ xs_net(x));
+ }
+
+ #ifdef CONFIG_NET_KEY_MIGRATE
+@@ -3616,7 +3620,7 @@ static int pfkey_send_migrate(const stru
+ }
+
+ /* broadcast migrate message to sockets */
+- pfkey_broadcast(skb, BROADCAST_ALL, NULL, &init_net);
++ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
+
+ return 0;
+
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 16 Aug 2017 07:03:15 -0700
+Subject: dccp: defer ccid_hc_tx_delete() at dismantle time
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 120e9dabaf551c6dc03d3a10a1f026376cb1811c ]
+
+syszkaller team reported another problem in DCCP [1]
+
+Problem here is that the structure holding RTO timer
+(ccid2_hc_tx_rto_expire() handler) is freed too soon.
+
+We can not use del_timer_sync() to cancel the timer
+since this timer wants to grab socket lock (that would risk a dead lock)
+
+Solution is to defer the freeing of memory when all references to
+the socket were released. Socket timers do own a reference, so this
+should fix the issue.
+
+[1]
+
+==================================================================
+BUG: KASAN: use-after-free in ccid2_hc_tx_rto_expire+0x51c/0x5c0 net/dccp/ccids/ccid2.c:144
+Read of size 4 at addr ffff8801d2660540 by task kworker/u4:7/3365
+
+CPU: 1 PID: 3365 Comm: kworker/u4:7 Not tainted 4.13.0-rc4+ #3
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events_unbound call_usermodehelper_exec_work
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:52
+ print_address_description+0x73/0x250 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x24e/0x340 mm/kasan/report.c:409
+ __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
+ ccid2_hc_tx_rto_expire+0x51c/0x5c0 net/dccp/ccids/ccid2.c:144
+ call_timer_fn+0x233/0x830 kernel/time/timer.c:1268
+ expire_timers kernel/time/timer.c:1307 [inline]
+ __run_timers+0x7fd/0xb90 kernel/time/timer.c:1601
+ run_timer_softirq+0x21/0x80 kernel/time/timer.c:1614
+ __do_softirq+0x2f5/0xba3 kernel/softirq.c:284
+ invoke_softirq kernel/softirq.c:364 [inline]
+ irq_exit+0x1cc/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:638 [inline]
+ smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:1044
+ apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:702
+RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:824 [inline]
+RIP: 0010:__raw_write_unlock_irq include/linux/rwlock_api_smp.h:267 [inline]
+RIP: 0010:_raw_write_unlock_irq+0x56/0x70 kernel/locking/spinlock.c:343
+RSP: 0018:ffff8801cd50eaa8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10
+RAX: dffffc0000000000 RBX: ffffffff85a090c0 RCX: 0000000000000006
+RDX: 1ffffffff0b595f3 RSI: 1ffff1003962f989 RDI: ffffffff85acaf98
+RBP: ffff8801cd50eab0 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801cc96ea60
+R13: dffffc0000000000 R14: ffff8801cc96e4c0 R15: ffff8801cc96e4c0
+ </IRQ>
+ release_task+0xe9e/0x1a40 kernel/exit.c:220
+ wait_task_zombie kernel/exit.c:1162 [inline]
+ wait_consider_task+0x29b8/0x33c0 kernel/exit.c:1389
+ do_wait_thread kernel/exit.c:1452 [inline]
+ do_wait+0x441/0xa90 kernel/exit.c:1523
+ kernel_wait4+0x1f5/0x370 kernel/exit.c:1665
+ SYSC_wait4+0x134/0x140 kernel/exit.c:1677
+ SyS_wait4+0x2c/0x40 kernel/exit.c:1673
+ call_usermodehelper_exec_sync kernel/kmod.c:286 [inline]
+ call_usermodehelper_exec_work+0x1a0/0x2c0 kernel/kmod.c:323
+ process_one_work+0xbf3/0x1bc0 kernel/workqueue.c:2097
+ worker_thread+0x223/0x1860 kernel/workqueue.c:2231
+ kthread+0x35e/0x430 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:425
+
+Allocated by task 21267:
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
+ kmem_cache_alloc+0x127/0x750 mm/slab.c:3561
+ ccid_new+0x20e/0x390 net/dccp/ccid.c:151
+ dccp_hdlr_ccid+0x27/0x140 net/dccp/feat.c:44
+ __dccp_feat_activate+0x142/0x2a0 net/dccp/feat.c:344
+ dccp_feat_activate_values+0x34e/0xa90 net/dccp/feat.c:1538
+ dccp_rcv_request_sent_state_process net/dccp/input.c:472 [inline]
+ dccp_rcv_state_process+0xed1/0x1620 net/dccp/input.c:677
+ dccp_v4_do_rcv+0xeb/0x160 net/dccp/ipv4.c:679
+ sk_backlog_rcv include/net/sock.h:911 [inline]
+ __release_sock+0x124/0x360 net/core/sock.c:2269
+ release_sock+0xa4/0x2a0 net/core/sock.c:2784
+ inet_wait_for_connect net/ipv4/af_inet.c:557 [inline]
+ __inet_stream_connect+0x671/0xf00 net/ipv4/af_inet.c:643
+ inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:682
+ SYSC_connect+0x204/0x470 net/socket.c:1642
+ SyS_connect+0x24/0x30 net/socket.c:1623
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Freed by task 3049:
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
+ __cache_free mm/slab.c:3503 [inline]
+ kmem_cache_free+0x77/0x280 mm/slab.c:3763
+ ccid_hc_tx_delete+0xc5/0x100 net/dccp/ccid.c:190
+ dccp_destroy_sock+0x1d1/0x2b0 net/dccp/proto.c:225
+ inet_csk_destroy_sock+0x166/0x3f0 net/ipv4/inet_connection_sock.c:833
+ dccp_done+0xb7/0xd0 net/dccp/proto.c:145
+ dccp_time_wait+0x13d/0x300 net/dccp/minisocks.c:72
+ dccp_rcv_reset+0x1d1/0x5b0 net/dccp/input.c:160
+ dccp_rcv_state_process+0x8fc/0x1620 net/dccp/input.c:663
+ dccp_v4_do_rcv+0xeb/0x160 net/dccp/ipv4.c:679
+ sk_backlog_rcv include/net/sock.h:911 [inline]
+ __sk_receive_skb+0x33e/0xc00 net/core/sock.c:521
+ dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:871
+ ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
+ NF_HOOK include/linux/netfilter.h:248 [inline]
+ ip_local_deliver+0x1ce/0x6d0 net/ipv4/ip_input.c:257
+ dst_input include/net/dst.h:477 [inline]
+ ip_rcv_finish+0x8db/0x19c0 net/ipv4/ip_input.c:397
+ NF_HOOK include/linux/netfilter.h:248 [inline]
+ ip_rcv+0xc3f/0x17d0 net/ipv4/ip_input.c:488
+ __netif_receive_skb_core+0x19af/0x33d0 net/core/dev.c:4417
+ __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4455
+ process_backlog+0x203/0x740 net/core/dev.c:5130
+ napi_poll net/core/dev.c:5527 [inline]
+ net_rx_action+0x792/0x1910 net/core/dev.c:5593
+ __do_softirq+0x2f5/0xba3 kernel/softirq.c:284
+
+The buggy address belongs to the object at ffff8801d2660100
+ which belongs to the cache ccid2_hc_tx_sock of size 1240
+The buggy address is located 1088 bytes inside of
+ 1240-byte region [ffff8801d2660100, ffff8801d26605d8)
+The buggy address belongs to the page:
+page:ffffea0007499800 count:1 mapcount:0 mapping:ffff8801d2660100 index:0x0 compound_mapcount: 0
+flags: 0x200000000008100(slab|head)
+raw: 0200000000008100 ffff8801d2660100 0000000000000000 0000000100000005
+raw: ffffea00075271a0 ffffea0007538820 ffff8801d3aef9c0 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801d2660400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8801d2660480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8801d2660500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8801d2660580: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+ ffff8801d2660600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+==================================================================
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/proto.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -24,6 +24,7 @@
+ #include <net/checksum.h>
+
+ #include <net/inet_sock.h>
++#include <net/inet_common.h>
+ #include <net/sock.h>
+ #include <net/xfrm.h>
+
+@@ -170,6 +171,15 @@ const char *dccp_packet_name(const int t
+
+ EXPORT_SYMBOL_GPL(dccp_packet_name);
+
++static void dccp_sk_destruct(struct sock *sk)
++{
++ struct dccp_sock *dp = dccp_sk(sk);
++
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_tx_ccid = NULL;
++ inet_sock_destruct(sk);
++}
++
+ int dccp_init_sock(struct sock *sk, const __u8 ctl_sock_initialized)
+ {
+ struct dccp_sock *dp = dccp_sk(sk);
+@@ -179,6 +189,7 @@ int dccp_init_sock(struct sock *sk, cons
+ icsk->icsk_syn_retries = sysctl_dccp_request_retries;
+ sk->sk_state = DCCP_CLOSED;
+ sk->sk_write_space = dccp_write_space;
++ sk->sk_destruct = dccp_sk_destruct;
+ icsk->icsk_sync_mss = dccp_sync_mss;
+ dp->dccps_mss_cache = 536;
+ dp->dccps_rate_last = jiffies;
+@@ -219,8 +230,7 @@ void dccp_destroy_sock(struct sock *sk)
+ dp->dccps_hc_rx_ackvec = NULL;
+ }
+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
+- ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
+- dp->dccps_hc_rx_ccid = dp->dccps_hc_tx_ccid = NULL;
++ dp->dccps_hc_rx_ccid = NULL;
+
+ /* clean up feature negotiation state */
+ dccp_feat_list_purge(&dp->dccps_featneg);
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 14 Aug 2017 14:10:25 -0700
+Subject: dccp: purge write queue in dccp_destroy_sock()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7749d4ff88d31b0be17c8683143135adaaadc6a7 ]
+
+syzkaller reported that DCCP could have a non empty
+write queue at dismantle time.
+
+WARNING: CPU: 1 PID: 2953 at net/core/stream.c:199 sk_stream_kill_queues+0x3ce/0x520 net/core/stream.c:199
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 1 PID: 2953 Comm: syz-executor0 Not tainted 4.13.0-rc4+ #2
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:52
+ panic+0x1e4/0x417 kernel/panic.c:180
+ __warn+0x1c4/0x1d9 kernel/panic.c:541
+ report_bug+0x211/0x2d0 lib/bug.c:183
+ fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:190
+ do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
+ do_trap+0x260/0x390 arch/x86/kernel/traps.c:273
+ do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:310
+ do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
+ invalid_op+0x1e/0x30 arch/x86/entry/entry_64.S:846
+RIP: 0010:sk_stream_kill_queues+0x3ce/0x520 net/core/stream.c:199
+RSP: 0018:ffff8801d182f108 EFLAGS: 00010297
+RAX: ffff8801d1144140 RBX: ffff8801d13cb280 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff85137b00 RDI: ffff8801d13cb280
+RBP: ffff8801d182f148 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801d13cb4d0
+R13: ffff8801d13cb3b8 R14: ffff8801d13cb300 R15: ffff8801d13cb3b8
+ inet_csk_destroy_sock+0x175/0x3f0 net/ipv4/inet_connection_sock.c:835
+ dccp_close+0x84d/0xc10 net/dccp/proto.c:1067
+ inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ sock_close+0x16/0x20 net/socket.c:1126
+ __fput+0x327/0x7e0 fs/file_table.c:210
+ ____fput+0x15/0x20 fs/file_table.c:246
+ task_work_run+0x18a/0x260 kernel/task_work.c:116
+ exit_task_work include/linux/task_work.h:21 [inline]
+ do_exit+0xa32/0x1b10 kernel/exit.c:865
+ do_group_exit+0x149/0x400 kernel/exit.c:969
+ get_signal+0x7e8/0x17e0 kernel/signal.c:2330
+ do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
+ exit_to_usermode_loop+0x21c/0x2d0 arch/x86/entry/common.c:157
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath+0x3a7/0x450 arch/x86/entry/common.c:263
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/proto.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -201,10 +201,7 @@ void dccp_destroy_sock(struct sock *sk)
+ {
+ struct dccp_sock *dp = dccp_sk(sk);
+
+- /*
+- * DCCP doesn't use sk_write_queue, just sk_send_head
+- * for retransmissions
+- */
++ __skb_queue_purge(&sk->sk_write_queue);
+ if (sk->sk_send_head != NULL) {
+ kfree_skb(sk->sk_send_head);
+ sk->sk_send_head = NULL;
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 16 Aug 2017 11:09:12 -0700
+Subject: ipv4: better IP_MAX_MTU enforcement
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit c780a049f9bf442314335372c9abc4548bfe3e44 ]
+
+While working on yet another syzkaller report, I found
+that our IP_MAX_MTU enforcements were not properly done.
+
+gcc seems to reload dev->mtu for min(dev->mtu, IP_MAX_MTU), and
+final result can be bigger than IP_MAX_MTU :/
+
+This is a problem because device mtu can be changed on other cpus or
+threads.
+
+While this patch does not fix the issue I am working on, it is
+probably worth addressing it.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip.h | 4 ++--
+ net/ipv4/route.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -314,7 +314,7 @@ static inline unsigned int ip_dst_mtu_ma
+ !forwarding)
+ return dst_mtu(dst);
+
+- return min(dst->dev->mtu, IP_MAX_MTU);
++ return min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU);
+ }
+
+ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb)
+@@ -327,7 +327,7 @@ static inline unsigned int ip_skb_dst_mt
+ return ip_dst_mtu_maybe_forward(skb_dst(skb), forwarding);
+ }
+
+- return min(skb_dst(skb)->dev->mtu, IP_MAX_MTU);
++ return min(READ_ONCE(skb_dst(skb)->dev->mtu), IP_MAX_MTU);
+ }
+
+ u32 ip_idents_reserve(u32 hash, int segs);
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1241,7 +1241,7 @@ static unsigned int ipv4_mtu(const struc
+ if (mtu)
+ return mtu;
+
+- mtu = dst->dev->mtu;
++ mtu = READ_ONCE(dst->dev->mtu);
+
+ if (unlikely(dst_metric_locked(dst, RTAX_MTU))) {
+ if (rt->rt_uses_gateway && mtu > 576)
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 15 Aug 2017 05:26:17 -0700
+Subject: ipv4: fix NULL dereference in free_fib_info_rcu()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 187e5b3ac84d3421d2de3aca949b2791fbcad554 ]
+
+If fi->fib_metrics could not be allocated in fib_create_info()
+we attempt to dereference a NULL pointer in free_fib_info_rcu() :
+
+ m = fi->fib_metrics;
+ if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
+ kfree(m);
+
+Before my recent patch, we used to call kfree(NULL) and nothing wrong
+happened.
+
+Instead of using RCU to defer freeing while we are under memory stress,
+it seems better to take immediate action.
+
+This was reported by syzkaller team.
+
+Fixes: 3fb07daff8e9 ("ipv4: add reference counting to metrics")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -1044,15 +1044,17 @@ struct fib_info *fib_create_info(struct
+ fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
+ if (!fi)
+ goto failure;
+- fib_info_cnt++;
+ if (cfg->fc_mx) {
+ fi->fib_metrics = kzalloc(sizeof(*fi->fib_metrics), GFP_KERNEL);
+- if (!fi->fib_metrics)
+- goto failure;
++ if (unlikely(!fi->fib_metrics)) {
++ kfree(fi);
++ return ERR_PTR(err);
++ }
+ atomic_set(&fi->fib_metrics->refcnt, 1);
+- } else
++ } else {
+ fi->fib_metrics = (struct dst_metrics *)&dst_default_metrics;
+-
++ }
++ fib_info_cnt++;
+ fi->fib_net = net;
+ fi->fib_protocol = cfg->fc_protocol;
+ fi->fib_scope = cfg->fc_scope;
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Wei Wang <weiwan@google.com>
+Date: Fri, 18 Aug 2017 17:14:49 -0700
+Subject: ipv6: repair fib6 tree in failure case
+
+From: Wei Wang <weiwan@google.com>
+
+
+[ Upstream commit 348a4002729ccab8b888b38cbc099efa2f2a2036 ]
+
+In fib6_add(), it is possible that fib6_add_1() picks an intermediate
+node and sets the node's fn->leaf to NULL in order to add this new
+route. However, if fib6_add_rt2node() fails to add the new
+route for some reason, fn->leaf will be left as NULL and could
+potentially cause crash when fn->leaf is accessed in fib6_locate().
+This patch makes sure fib6_repair_tree() is called to properly repair
+fn->leaf in the above failure case.
+
+Here is the syzkaller reported general protection fault in fib6_locate:
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN
+Modules linked in:
+CPU: 0 PID: 40937 Comm: syz-executor3 Not tainted
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+task: ffff8801d7d64100 ti: ffff8801d01a0000 task.ti: ffff8801d01a0000
+RIP: 0010:[<ffffffff82a3e0e1>] [<ffffffff82a3e0e1>] __ipv6_prefix_equal64_half include/net/ipv6.h:475 [inline]
+RIP: 0010:[<ffffffff82a3e0e1>] [<ffffffff82a3e0e1>] ipv6_prefix_equal include/net/ipv6.h:492 [inline]
+RIP: 0010:[<ffffffff82a3e0e1>] [<ffffffff82a3e0e1>] fib6_locate_1 net/ipv6/ip6_fib.c:1210 [inline]
+RIP: 0010:[<ffffffff82a3e0e1>] [<ffffffff82a3e0e1>] fib6_locate+0x281/0x3c0 net/ipv6/ip6_fib.c:1233
+RSP: 0018:ffff8801d01a36a8 EFLAGS: 00010202
+RAX: 0000000000000020 RBX: ffff8801bc790e00 RCX: ffffc90002983000
+RDX: 0000000000001219 RSI: ffff8801d01a37a0 RDI: 0000000000000100
+RBP: ffff8801d01a36f0 R08: 00000000000000ff R09: 0000000000000000
+R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000001
+R13: dffffc0000000000 R14: ffff8801d01a37a0 R15: 0000000000000000
+FS: 00007f6afd68c700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000004c6340 CR3: 00000000ba41f000 CR4: 00000000001426f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Stack:
+ ffff8801d01a37a8 ffff8801d01a3780 ffffed003a0346f5 0000000c82a23ea0
+ ffff8800b7bd7700 ffff8801d01a3780 ffff8800b6a1c940 ffffffff82a23ea0
+ ffff8801d01a3920 ffff8801d01a3748 ffffffff82a223d6 ffff8801d7d64988
+Call Trace:
+ [<ffffffff82a223d6>] ip6_route_del+0x106/0x570 net/ipv6/route.c:2109
+ [<ffffffff82a23f9d>] inet6_rtm_delroute+0xfd/0x100 net/ipv6/route.c:3075
+ [<ffffffff82621359>] rtnetlink_rcv_msg+0x549/0x7a0 net/core/rtnetlink.c:3450
+ [<ffffffff8274c1d1>] netlink_rcv_skb+0x141/0x370 net/netlink/af_netlink.c:2281
+ [<ffffffff82613ddf>] rtnetlink_rcv+0x2f/0x40 net/core/rtnetlink.c:3456
+ [<ffffffff8274ad38>] netlink_unicast_kernel net/netlink/af_netlink.c:1206 [inline]
+ [<ffffffff8274ad38>] netlink_unicast+0x518/0x750 net/netlink/af_netlink.c:1232
+ [<ffffffff8274b83e>] netlink_sendmsg+0x8ce/0xc30 net/netlink/af_netlink.c:1778
+ [<ffffffff82564aff>] sock_sendmsg_nosec net/socket.c:609 [inline]
+ [<ffffffff82564aff>] sock_sendmsg+0xcf/0x110 net/socket.c:619
+ [<ffffffff82564d62>] sock_write_iter+0x222/0x3a0 net/socket.c:834
+ [<ffffffff8178523d>] new_sync_write+0x1dd/0x2b0 fs/read_write.c:478
+ [<ffffffff817853f4>] __vfs_write+0xe4/0x110 fs/read_write.c:491
+ [<ffffffff81786c38>] vfs_write+0x178/0x4b0 fs/read_write.c:538
+ [<ffffffff817892a9>] SYSC_write fs/read_write.c:585 [inline]
+ [<ffffffff817892a9>] SyS_write+0xd9/0x1b0 fs/read_write.c:577
+ [<ffffffff82c71e32>] entry_SYSCALL_64_fastpath+0x12/0x17
+
+Note: there is no "Fixes" tag as this seems to be a bug introduced
+very early.
+
+Signed-off-by: Wei Wang <weiwan@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -996,7 +996,7 @@ int fib6_add(struct fib6_node *root, str
+ /* Create subtree root node */
+ sfn = node_alloc();
+ if (!sfn)
+- goto st_failure;
++ goto failure;
+
+ sfn->leaf = info->nl_net->ipv6.ip6_null_entry;
+ atomic_inc(&info->nl_net->ipv6.ip6_null_entry->rt6i_ref);
+@@ -1012,12 +1012,12 @@ int fib6_add(struct fib6_node *root, str
+
+ if (IS_ERR(sn)) {
+ /* If it is failed, discard just allocated
+- root, and then (in st_failure) stale node
++ root, and then (in failure) stale node
+ in main tree.
+ */
+ node_free(sfn);
+ err = PTR_ERR(sn);
+- goto st_failure;
++ goto failure;
+ }
+
+ /* Now link new subtree to main tree */
+@@ -1031,7 +1031,7 @@ int fib6_add(struct fib6_node *root, str
+
+ if (IS_ERR(sn)) {
+ err = PTR_ERR(sn);
+- goto st_failure;
++ goto failure;
+ }
+ }
+
+@@ -1073,22 +1073,22 @@ out:
+ atomic_inc(&pn->leaf->rt6i_ref);
+ }
+ #endif
+- if (!(rt->dst.flags & DST_NOCACHE))
+- dst_free(&rt->dst);
++ goto failure;
+ }
+ return err;
+
+-#ifdef CONFIG_IPV6_SUBTREES
+- /* Subtree creation failed, probably main tree node
+- is orphan. If it is, shoot it.
++failure:
++ /* fn->leaf could be NULL if fn is an intermediate node and we
++ * failed to add the new route to it in both subtree creation
++ * failure and fib6_add_rt2node() failure case.
++ * In both cases, fib6_repair_tree() should be called to fix
++ * fn->leaf.
+ */
+-st_failure:
+ if (fn && !(fn->fn_flags & (RTN_RTINFO|RTN_ROOT)))
+ fib6_repair_tree(info->nl_net, fn);
+ if (!(rt->dst.flags & DST_NOCACHE))
+ dst_free(&rt->dst);
+ return err;
+-#endif
+ }
+
+ /*
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Wei Wang <weiwan@google.com>
+Date: Wed, 16 Aug 2017 11:18:09 -0700
+Subject: ipv6: reset fn->rr_ptr when replacing route
+
+From: Wei Wang <weiwan@google.com>
+
+
+[ Upstream commit 383143f31d7d3525a1dbff733d52fff917f82f15 ]
+
+syzcaller reported the following use-after-free issue in rt6_select():
+BUG: KASAN: use-after-free in rt6_select net/ipv6/route.c:755 [inline] at addr ffff8800bc6994e8
+BUG: KASAN: use-after-free in ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 at addr ffff8800bc6994e8
+Read of size 4 by task syz-executor1/439628
+CPU: 0 PID: 439628 Comm: syz-executor1 Not tainted 4.3.5+ #8
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ 0000000000000000 ffff88018fe435b0 ffffffff81ca384d ffff8801d3588c00
+ ffff8800bc699380 ffff8800bc699500 dffffc0000000000 ffff8801d40a47c0
+ ffff88018fe435d8 ffffffff81735751 ffff88018fe43660 ffff8800bc699380
+Call Trace:
+ [<ffffffff81ca384d>] __dump_stack lib/dump_stack.c:15 [inline]
+ [<ffffffff81ca384d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
+sctp: [Deprecated]: syz-executor0 (pid 439615) Use of struct sctp_assoc_value in delayed_ack socket option.
+Use struct sctp_sack_info instead
+ [<ffffffff81735751>] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
+ [<ffffffff817359c4>] print_address_description mm/kasan/report.c:196 [inline]
+ [<ffffffff817359c4>] kasan_report_error+0x1b4/0x4a0 mm/kasan/report.c:285
+ [<ffffffff81735d93>] kasan_report mm/kasan/report.c:305 [inline]
+ [<ffffffff81735d93>] __asan_report_load4_noabort+0x43/0x50 mm/kasan/report.c:325
+ [<ffffffff82a28e39>] rt6_select net/ipv6/route.c:755 [inline]
+ [<ffffffff82a28e39>] ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084
+ [<ffffffff82a28fb1>] ip6_pol_route_output+0x81/0xb0 net/ipv6/route.c:1203
+ [<ffffffff82ab0a50>] fib6_rule_action+0x1f0/0x680 net/ipv6/fib6_rules.c:95
+ [<ffffffff8265cbb6>] fib_rules_lookup+0x2a6/0x7a0 net/core/fib_rules.c:223
+ [<ffffffff82ab1430>] fib6_rule_lookup+0xd0/0x250 net/ipv6/fib6_rules.c:41
+ [<ffffffff82a22006>] ip6_route_output+0x1d6/0x2c0 net/ipv6/route.c:1224
+ [<ffffffff829e83d2>] ip6_dst_lookup_tail+0x4d2/0x890 net/ipv6/ip6_output.c:943
+ [<ffffffff829e889a>] ip6_dst_lookup_flow+0x9a/0x250 net/ipv6/ip6_output.c:1079
+ [<ffffffff82a9f7d8>] ip6_datagram_dst_update+0x538/0xd40 net/ipv6/datagram.c:91
+ [<ffffffff82aa0978>] __ip6_datagram_connect net/ipv6/datagram.c:251 [inline]
+ [<ffffffff82aa0978>] ip6_datagram_connect+0x518/0xe50 net/ipv6/datagram.c:272
+ [<ffffffff82aa1313>] ip6_datagram_connect_v6_only+0x63/0x90 net/ipv6/datagram.c:284
+ [<ffffffff8292f790>] inet_dgram_connect+0x170/0x1f0 net/ipv4/af_inet.c:564
+ [<ffffffff82565547>] SYSC_connect+0x1a7/0x2f0 net/socket.c:1582
+ [<ffffffff8256a649>] SyS_connect+0x29/0x30 net/socket.c:1563
+ [<ffffffff82c72032>] entry_SYSCALL_64_fastpath+0x12/0x17
+Object at ffff8800bc699380, in cache ip6_dst_cache size: 384
+
+The root cause of it is that in fib6_add_rt2node(), when it replaces an
+existing route with the new one, it does not update fn->rr_ptr.
+This commit resets fn->rr_ptr to NULL when it points to a route which is
+replaced in fib6_add_rt2node().
+
+Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
+Signed-off-by: Wei Wang <weiwan@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -892,6 +892,8 @@ add:
+ }
+ nsiblings = iter->rt6i_nsiblings;
+ fib6_purge_rt(iter, fn, info->nl_net);
++ if (fn->rr_ptr == iter)
++ fn->rr_ptr = NULL;
+ rt6_release(iter);
+
+ if (nsiblings) {
+@@ -904,6 +906,8 @@ add:
+ if (rt6_qualify_for_ecmp(iter)) {
+ *ins = iter->dst.rt6_next;
+ fib6_purge_rt(iter, fn, info->nl_net);
++ if (fn->rr_ptr == iter)
++ fn->rr_ptr = NULL;
+ rt6_release(iter);
+ nsiblings--;
+ } else {
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 17 Aug 2017 23:14:58 +0100
+Subject: irda: do not leak initialized list.dev to userspace
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit b024d949a3c24255a7ef1a470420eb478949aa4c ]
+
+list.dev has not been initialized and so the copy_to_user is copying
+data from the stack back to user space which is a potential
+information leak. Fix this ensuring all of list is initialized to
+zero.
+
+Detected by CoverityScan, CID#1357894 ("Uninitialized scalar variable")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/irda/af_irda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -2227,7 +2227,7 @@ static int irda_getsockopt(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct irda_sock *self = irda_sk(sk);
+- struct irda_device_list list;
++ struct irda_device_list list = { 0 };
+ struct irda_device_info *discoveries;
+ struct irda_ias_set * ias_opt; /* IAS get/query params */
+ struct ias_object * ias_obj; /* Object in IAS */
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 18 Aug 2017 11:01:36 +0800
+Subject: net: sched: fix NULL pointer dereference when action calls some targets
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 4f8a881acc9d1adaf1e552349a0b1df28933a04c ]
+
+As we know in some target's checkentry it may dereference par.entryinfo
+to check entry stuff inside. But when sched action calls xt_check_target,
+par.entryinfo is set with NULL. It would cause kernel panic when calling
+some targets.
+
+It can be reproduce with:
+ # tc qd add dev eth1 ingress handle ffff:
+ # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \
+ -j ECN --ecn-tcp-remove
+
+It could also crash kernel when using target CLUSTERIP or TPROXY.
+
+By now there's no proper value for par.entryinfo in ipt_init_target,
+but it can not be set with NULL. This patch is to void all these
+panics by setting it with an ipt_entry obj with all members = 0.
+
+Note that this issue has been there since the very beginning.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ipt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sched/act_ipt.c
++++ b/net/sched/act_ipt.c
+@@ -34,6 +34,7 @@ static int ipt_init_target(struct xt_ent
+ {
+ struct xt_tgchk_param par;
+ struct xt_target *target;
++ struct ipt_entry e = {};
+ int ret = 0;
+
+ target = xt_request_find_target(AF_INET, t->u.user.name,
+@@ -44,6 +45,7 @@ static int ipt_init_target(struct xt_ent
+ t->u.kernel.target = target;
+ memset(&par, 0, sizeof(par));
+ par.table = table;
++ par.entryinfo = &e;
+ par.target = target;
+ par.targinfo = t->data;
+ par.hook_mask = hook;
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Sat, 19 Aug 2017 15:37:07 +0300
+Subject: net_sched: fix order of queue length updates in qdisc_replace()
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+
+[ Upstream commit 68a66d149a8c78ec6720f268597302883e48e9fa ]
+
+This important to call qdisc_tree_reduce_backlog() after changing queue
+length. Parent qdisc should deactivate class in ->qlen_notify() called from
+qdisc_tree_reduce_backlog() but this happens only if qdisc->q.qlen in zero.
+
+Missed class deactivations leads to crashes/warnings at picking packets
+from empty qdisc and corrupting state at reactivating this class in future.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Fixes: 86a7996cc8a0 ("net_sched: introduce qdisc_replace() helper")
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sch_generic.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -717,8 +717,11 @@ static inline struct Qdisc *qdisc_replac
+ old = *pold;
+ *pold = new;
+ if (old != NULL) {
+- qdisc_tree_reduce_backlog(old, old->q.qlen, old->qstats.backlog);
++ unsigned int qlen = old->q.qlen;
++ unsigned int backlog = old->qstats.backlog;
++
+ qdisc_reset(old);
++ qdisc_tree_reduce_backlog(old, qlen, backlog);
+ }
+ sch_tree_unlock(sch);
+
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Tue, 15 Aug 2017 16:39:05 +0300
+Subject: net_sched: remove warning from qdisc_hash_add
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+
+[ Upstream commit c90e95147c27b1780e76c6e8fea1b5c78d7d387f ]
+
+It was added in commit e57a784d8cae ("pkt_sched: set root qdisc
+before change() in attach_default_qdiscs()") to hide duplicates
+from "tc qdisc show" for incative deivices.
+
+After 59cc1f61f ("net: sched: convert qdisc linked list to hashtable")
+it triggered when classful qdisc is added to inactive device because
+default qdiscs are added before switching root qdisc.
+
+Anyway after commit ea3274695353 ("net: sched: avoid duplicates in
+qdisc dump") duplicates are filtered right in dumper.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_api.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -275,9 +275,6 @@ static struct Qdisc *qdisc_match_from_ro
+ void qdisc_list_add(struct Qdisc *q)
+ {
+ if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) {
+- struct Qdisc *root = qdisc_dev(q)->qdisc;
+-
+- WARN_ON_ONCE(root == &noop_qdisc);
+ ASSERT_RTNL();
+ list_add_tail_rcu(&q->list, &root->list);
+ }
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Tue, 15 Aug 2017 16:37:04 +0300
+Subject: net_sched/sfq: update hierarchical backlog when drop packet
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+
+[ Upstream commit 325d5dc3f7e7c2840b65e4a2988c082c2c0025c5 ]
+
+When sfq_enqueue() drops head packet or packet from another queue it
+have to update backlog at upper qdiscs too.
+
+Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too")
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_sfq.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -434,6 +434,7 @@ congestion_drop:
+ qdisc_drop(head, sch);
+
+ slot_queue_add(slot, skb);
++ qdisc_tree_reduce_backlog(sch, 0, delta);
+ return NET_XMIT_CN;
+ }
+
+@@ -465,8 +466,10 @@ enqueue:
+ /* Return Congestion Notification only if we dropped a packet
+ * from this flow.
+ */
+- if (qlen != slot->qlen)
++ if (qlen != slot->qlen) {
++ qdisc_tree_reduce_backlog(sch, 0, dropped - qdisc_pkt_len(skb));
+ return NET_XMIT_CN;
++ }
+
+ /* As we dropped a packet, better let upper stack know this */
+ qdisc_tree_reduce_backlog(sch, 1, dropped);
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Wed, 16 Aug 2017 20:16:40 +0200
+Subject: sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit 15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d ]
+
+KMSAN reported use of uninitialized sctp_addr->v4.sin_addr.s_addr and
+sctp_addr->v6.sin6_scope_id in sctp_v6_cmp_addr() (see below).
+Make sure all fields of an IPv6 address are initialized, which
+guarantees that the IPv4 fields are also initialized.
+
+==================================================================
+ BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0
+ net/sctp/ipv6.c:517
+ CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
+ 01/01/2011
+ Call Trace:
+ dump_stack+0x172/0x1c0 lib/dump_stack.c:42
+ is_logbuf_locked mm/kmsan/kmsan.c:59 [inline]
+ kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938
+ native_save_fl arch/x86/include/asm/irqflags.h:18 [inline]
+ arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline]
+ arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline]
+ __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467
+ sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517
+ sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290
+ sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
+ sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651
+ sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871
+ inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg net/socket.c:643 [inline]
+ SYSC_sendto+0x608/0x710 net/socket.c:1696
+ SyS_sendto+0x8a/0xb0 net/socket.c:1664
+ entry_SYSCALL_64_fastpath+0x13/0x94
+ RIP: 0033:0x44b479
+ RSP: 002b:00007f6213f21c08 EFLAGS: 00000286 ORIG_RAX: 000000000000002c
+ RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 000000000044b479
+ RDX: 0000000000000041 RSI: 0000000020edd000 RDI: 0000000000000006
+ RBP: 00000000007080a8 R08: 0000000020b85fe4 R09: 000000000000001c
+ R10: 0000000000040005 R11: 0000000000000286 R12: 00000000ffffffff
+ R13: 0000000000003760 R14: 00000000006e5820 R15: 0000000000ff8000
+ origin description: ----dst_saddr@sctp_v6_get_dst
+ local variable created at:
+ sk_fullsock include/net/sock.h:2321 [inline]
+ inet6_sk include/linux/ipv6.h:309 [inline]
+ sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241
+ sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
+==================================================================
+ BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0
+ net/sctp/ipv6.c:517
+ CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
+ 01/01/2011
+ Call Trace:
+ dump_stack+0x172/0x1c0 lib/dump_stack.c:42
+ is_logbuf_locked mm/kmsan/kmsan.c:59 [inline]
+ kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938
+ native_save_fl arch/x86/include/asm/irqflags.h:18 [inline]
+ arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline]
+ arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline]
+ __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467
+ sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517
+ sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290
+ sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
+ sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651
+ sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871
+ inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg net/socket.c:643 [inline]
+ SYSC_sendto+0x608/0x710 net/socket.c:1696
+ SyS_sendto+0x8a/0xb0 net/socket.c:1664
+ entry_SYSCALL_64_fastpath+0x13/0x94
+ RIP: 0033:0x44b479
+ RSP: 002b:00007f6213f21c08 EFLAGS: 00000286 ORIG_RAX: 000000000000002c
+ RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 000000000044b479
+ RDX: 0000000000000041 RSI: 0000000020edd000 RDI: 0000000000000006
+ RBP: 00000000007080a8 R08: 0000000020b85fe4 R09: 000000000000001c
+ R10: 0000000000040005 R11: 0000000000000286 R12: 00000000ffffffff
+ R13: 0000000000003760 R14: 00000000006e5820 R15: 0000000000ff8000
+ origin description: ----dst_saddr@sctp_v6_get_dst
+ local variable created at:
+ sk_fullsock include/net/sock.h:2321 [inline]
+ inet6_sk include/linux/ipv6.h:309 [inline]
+ sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241
+ sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
+==================================================================
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -510,7 +510,9 @@ static void sctp_v6_to_addr(union sctp_a
+ {
+ addr->sa.sa_family = AF_INET6;
+ addr->v6.sin6_port = port;
++ addr->v6.sin6_flowinfo = 0;
+ addr->v6.sin6_addr = *saddr;
++ addr->v6.sin6_scope_id = 0;
+ }
+
+ /* Compare addresses exactly.
--- /dev/null
+af_key-do-not-use-gfp_kernel-in-atomic-contexts.patch
+dccp-purge-write-queue-in-dccp_destroy_sock.patch
+dccp-defer-ccid_hc_tx_delete-at-dismantle-time.patch
+ipv4-fix-null-dereference-in-free_fib_info_rcu.patch
+net_sched-sfq-update-hierarchical-backlog-when-drop-packet.patch
+net_sched-remove-warning-from-qdisc_hash_add.patch
+ipv4-better-ip_max_mtu-enforcement.patch
+sctp-fully-initialize-the-ipv6-address-in-sctp_v6_to_addr.patch
+tipc-fix-use-after-free.patch
+ipv6-reset-fn-rr_ptr-when-replacing-route.patch
+ipv6-repair-fib6-tree-in-failure-case.patch
+tcp-when-rearming-rto-if-rto-time-is-in-past-then-fire-rto-asap.patch
+irda-do-not-leak-initialized-list.dev-to-userspace.patch
+net-sched-fix-null-pointer-dereference-when-action-calls-some-targets.patch
+net_sched-fix-order-of-queue-length-updates-in-qdisc_replace.patch
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Neal Cardwell <ncardwell@google.com>
+Date: Wed, 16 Aug 2017 17:53:36 -0400
+Subject: tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
+
+From: Neal Cardwell <ncardwell@google.com>
+
+
+[ Upstream commit cdbeb633ca71a02b7b63bfeb94994bf4e1a0b894 ]
+
+In some situations tcp_send_loss_probe() can realize that it's unable
+to send a loss probe (TLP), and falls back to calling tcp_rearm_rto()
+to schedule an RTO timer. In such cases, sometimes tcp_rearm_rto()
+realizes that the RTO was eligible to fire immediately or at some
+point in the past (delta_us <= 0). Previously in such cases
+tcp_rearm_rto() was scheduling such "overdue" RTOs to happen at now +
+icsk_rto, which caused needless delays of hundreds of milliseconds
+(and non-linear behavior that made reproducible testing
+difficult). This commit changes the logic to schedule "overdue" RTOs
+ASAP, rather than at now + icsk_rto.
+
+Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)")
+Suggested-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3028,8 +3028,7 @@ void tcp_rearm_rto(struct sock *sk)
+ /* delta may not be positive if the socket is locked
+ * when the retrans timer fires and is rescheduled.
+ */
+- if (delta > 0)
+- rto = delta;
++ delta = max(delta, 1);
+ }
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, rto,
+ TCP_RTO_MAX);
--- /dev/null
+From foo@baz Thu Aug 24 17:48:38 PDT 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 16 Aug 2017 09:41:54 -0700
+Subject: tipc: fix use-after-free
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 5bfd37b4de5c98e86b12bd13be5aa46c7484a125 ]
+
+syszkaller reported use-after-free in tipc [1]
+
+When msg->rep skb is freed, set the pointer to NULL,
+so that caller does not free it again.
+
+[1]
+
+==================================================================
+BUG: KASAN: use-after-free in skb_push+0xd4/0xe0 net/core/skbuff.c:1466
+Read of size 8 at addr ffff8801c6e71e90 by task syz-executor5/4115
+
+CPU: 1 PID: 4115 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #32
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:52
+ print_address_description+0x73/0x250 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x24e/0x340 mm/kasan/report.c:409
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
+ skb_push+0xd4/0xe0 net/core/skbuff.c:1466
+ tipc_nl_compat_recv+0x833/0x18f0 net/tipc/netlink_compat.c:1209
+ genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:598
+ genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:623
+ netlink_rcv_skb+0x216/0x440 net/netlink/af_netlink.c:2397
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:634
+ netlink_unicast_kernel net/netlink/af_netlink.c:1265 [inline]
+ netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1291
+ netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1854
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ sock_write_iter+0x31a/0x5d0 net/socket.c:898
+ call_write_iter include/linux/fs.h:1743 [inline]
+ new_sync_write fs/read_write.c:457 [inline]
+ __vfs_write+0x684/0x970 fs/read_write.c:470
+ vfs_write+0x189/0x510 fs/read_write.c:518
+ SYSC_write fs/read_write.c:565 [inline]
+ SyS_write+0xef/0x220 fs/read_write.c:557
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+RIP: 0033:0x4512e9
+RSP: 002b:00007f3bc8184c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004512e9
+RDX: 0000000000000020 RSI: 0000000020fdb000 RDI: 0000000000000006
+RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004b5e76
+R13: 00007f3bc8184b48 R14: 00000000004b5e86 R15: 0000000000000000
+
+Allocated by task 4115:
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
+ kmem_cache_alloc_node+0x13d/0x750 mm/slab.c:3651
+ __alloc_skb+0xf1/0x740 net/core/skbuff.c:219
+ alloc_skb include/linux/skbuff.h:903 [inline]
+ tipc_tlv_alloc+0x26/0xb0 net/tipc/netlink_compat.c:148
+ tipc_nl_compat_dumpit+0xf2/0x3c0 net/tipc/netlink_compat.c:248
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1130 [inline]
+ tipc_nl_compat_recv+0x756/0x18f0 net/tipc/netlink_compat.c:1199
+ genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:598
+ genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:623
+ netlink_rcv_skb+0x216/0x440 net/netlink/af_netlink.c:2397
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:634
+ netlink_unicast_kernel net/netlink/af_netlink.c:1265 [inline]
+ netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1291
+ netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1854
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ sock_write_iter+0x31a/0x5d0 net/socket.c:898
+ call_write_iter include/linux/fs.h:1743 [inline]
+ new_sync_write fs/read_write.c:457 [inline]
+ __vfs_write+0x684/0x970 fs/read_write.c:470
+ vfs_write+0x189/0x510 fs/read_write.c:518
+ SYSC_write fs/read_write.c:565 [inline]
+ SyS_write+0xef/0x220 fs/read_write.c:557
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Freed by task 4115:
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
+ __cache_free mm/slab.c:3503 [inline]
+ kmem_cache_free+0x77/0x280 mm/slab.c:3763
+ kfree_skbmem+0x1a1/0x1d0 net/core/skbuff.c:622
+ __kfree_skb net/core/skbuff.c:682 [inline]
+ kfree_skb+0x165/0x4c0 net/core/skbuff.c:699
+ tipc_nl_compat_dumpit+0x36a/0x3c0 net/tipc/netlink_compat.c:260
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1130 [inline]
+ tipc_nl_compat_recv+0x756/0x18f0 net/tipc/netlink_compat.c:1199
+ genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:598
+ genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:623
+ netlink_rcv_skb+0x216/0x440 net/netlink/af_netlink.c:2397
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:634
+ netlink_unicast_kernel net/netlink/af_netlink.c:1265 [inline]
+ netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1291
+ netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1854
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ sock_write_iter+0x31a/0x5d0 net/socket.c:898
+ call_write_iter include/linux/fs.h:1743 [inline]
+ new_sync_write fs/read_write.c:457 [inline]
+ __vfs_write+0x684/0x970 fs/read_write.c:470
+ vfs_write+0x189/0x510 fs/read_write.c:518
+ SYSC_write fs/read_write.c:565 [inline]
+ SyS_write+0xef/0x220 fs/read_write.c:557
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+The buggy address belongs to the object at ffff8801c6e71dc0
+ which belongs to the cache skbuff_head_cache of size 224
+The buggy address is located 208 bytes inside of
+ 224-byte region [ffff8801c6e71dc0, ffff8801c6e71ea0)
+The buggy address belongs to the page:
+page:ffffea00071b9c40 count:1 mapcount:0 mapping:ffff8801c6e71000 index:0x0
+flags: 0x200000000000100(slab)
+raw: 0200000000000100 ffff8801c6e71000 0000000000000000 000000010000000c
+raw: ffffea0007224a20 ffff8801d98caf48 ffff8801d9e79040 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801c6e71d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8801c6e71e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8801c6e71e80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff8801c6e71f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8801c6e71f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+==================================================================
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -258,13 +258,15 @@ static int tipc_nl_compat_dumpit(struct
+ arg = nlmsg_new(0, GFP_KERNEL);
+ if (!arg) {
+ kfree_skb(msg->rep);
++ msg->rep = NULL;
+ return -ENOMEM;
+ }
+
+ err = __tipc_nl_compat_dumpit(cmd, msg, arg);
+- if (err)
++ if (err) {
+ kfree_skb(msg->rep);
+-
++ msg->rep = NULL;
++ }
+ kfree_skb(arg);
+
+ return err;
projects / thirdparty / kernel / stable-queue.git / commitdiff
