--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 29 Dec 2018 13:56:36 -0800
+Subject: ax25: fix a use-after-free in ax25_fillin_cb()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit c433570458e49bccea5c551df628d058b3526289 ]
+
+There are multiple issues here:
+
+1. After freeing dev->ax25_ptr, we need to set it to NULL otherwise
+ we may use a dangling pointer.
+
+2. There is a race between ax25_setsockopt() and device notifier as
+ reported by syzbot. Close it by holding RTNL lock.
+
+3. We need to test if dev->ax25_ptr is NULL before using it.
+
+Reported-and-tested-by: syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 11 +++++++++--
+ net/ax25/ax25_dev.c | 2 ++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket
+ break;
+ }
+
+- dev = dev_get_by_name(&init_net, devname);
++ rtnl_lock();
++ dev = __dev_get_by_name(&init_net, devname);
+ if (!dev) {
++ rtnl_unlock();
+ res = -ENODEV;
+ break;
+ }
+
+ ax25->ax25_dev = ax25_dev_ax25dev(dev);
++ if (!ax25->ax25_dev) {
++ rtnl_unlock();
++ res = -ENODEV;
++ break;
++ }
+ ax25_fillin_cb(ax25, ax25->ax25_dev);
+- dev_put(dev);
++ rtnl_unlock();
+ break;
+
+ default:
+--- a/net/ax25/ax25_dev.c
++++ b/net/ax25/ax25_dev.c
+@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_dev
+ if ((s = ax25_dev_list) == ax25_dev) {
+ ax25_dev_list = s->next;
+ spin_unlock_bh(&ax25_dev_lock);
++ dev->ax25_ptr = NULL;
+ dev_put(dev);
+ kfree(ax25_dev);
+ return;
+@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_dev
+ if (s->next == ax25_dev) {
+ s->next = ax25_dev->next;
+ spin_unlock_bh(&ax25_dev_lock);
++ dev->ax25_ptr = NULL;
+ dev_put(dev);
+ kfree(ax25_dev);
+ return;
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Wed, 19 Dec 2018 23:23:00 +0100
+Subject: gro_cell: add napi_disable in gro_cells_destroy
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 8e1da73acded4751a93d4166458a7e640f37d26c ]
+
+Add napi_disable routine in gro_cells_destroy since starting from
+commit c42858eaf492 ("gro_cells: remove spinlock protecting receive
+queues") gro_cell_poll and gro_cells_destroy can run concurrently on
+napi_skbs list producing a kernel Oops if the tunnel interface is
+removed while gro_cell_poll is running. The following Oops has been
+triggered removing a vxlan device while the interface is receiving
+traffic
+
+[ 5628.948853] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+[ 5628.949981] PGD 0 P4D 0
+[ 5628.950308] Oops: 0002 [#1] SMP PTI
+[ 5628.950748] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #41
+[ 5628.952940] RIP: 0010:gro_cell_poll+0x49/0x80
+[ 5628.955615] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202
+[ 5628.956250] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000
+[ 5628.957102] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150
+[ 5628.957940] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000
+[ 5628.958803] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040
+[ 5628.959661] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040
+[ 5628.960682] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
+[ 5628.961616] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 5628.962359] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0
+[ 5628.963188] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 5628.964034] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 5628.964871] Call Trace:
+[ 5628.965179] net_rx_action+0xf0/0x380
+[ 5628.965637] __do_softirq+0xc7/0x431
+[ 5628.966510] run_ksoftirqd+0x24/0x30
+[ 5628.966957] smpboot_thread_fn+0xc5/0x160
+[ 5628.967436] kthread+0x113/0x130
+[ 5628.968283] ret_from_fork+0x3a/0x50
+[ 5628.968721] Modules linked in:
+[ 5628.969099] CR2: 0000000000000008
+[ 5628.969510] ---[ end trace 9d9dedc7181661fe ]---
+[ 5628.970073] RIP: 0010:gro_cell_poll+0x49/0x80
+[ 5628.972965] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202
+[ 5628.973611] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000
+[ 5628.974504] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150
+[ 5628.975462] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000
+[ 5628.976413] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040
+[ 5628.977375] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040
+[ 5628.978296] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
+[ 5628.979327] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 5628.980044] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0
+[ 5628.980929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 5628.981736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 5628.982409] Kernel panic - not syncing: Fatal exception in interrupt
+[ 5628.983307] Kernel Offset: disabled
+
+Fixes: c42858eaf492 ("gro_cells: remove spinlock protecting receive queues")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/gro_cells.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/net/gro_cells.h
++++ b/include/net/gro_cells.h
+@@ -84,6 +84,7 @@ static inline void gro_cells_destroy(str
+ for_each_possible_cpu(i) {
+ struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
+
++ napi_disable(&cell->napi);
+ netif_napi_del(&cell->napi);
+ __skb_queue_purge(&cell->napi_skbs);
+ }
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Mon, 31 Dec 2018 15:43:01 -0600
+Subject: ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
+
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+
+[ Upstream commit 756af9c642329d54f048bac2a62f829b391f6944 ]
+
+Commit 33a48ab105a7 ("ibmveth: Fix DMA unmap error") fixed an issue in the
+normal code path of ibmveth_xmit_start() that was originally introduced by
+Commit 6e8ab30ec677 ("ibmveth: Add scatter-gather support"). This original
+fix missed the error path where dma_unmap_page is wrongly called on the
+header portion in descs[0] which was mapped with dma_map_single. As a
+result a failure to DMA map any of the frags results in a dmesg warning
+when CONFIG_DMA_API_DEBUG is enabled.
+
+------------[ cut here ]------------
+DMA-API: ibmveth 30000002: device driver frees DMA memory with wrong function
+ [device address=0x000000000a430000] [size=172 bytes] [mapped as page] [unmapped as single]
+WARNING: CPU: 1 PID: 8426 at kernel/dma/debug.c:1085 check_unmap+0x4fc/0xe10
+...
+<snip>
+...
+DMA-API: Mapped at:
+ibmveth_start_xmit+0x30c/0xb60
+dev_hard_start_xmit+0x100/0x450
+sch_direct_xmit+0x224/0x490
+__qdisc_run+0x20c/0x980
+__dev_queue_xmit+0x1bc/0xf20
+
+This fixes the API misuse by unampping descs[0] with dma_unmap_single.
+
+Fixes: 6e8ab30ec677 ("ibmveth: Add scatter-gather support")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1163,11 +1163,15 @@ out:
+
+ map_failed_frags:
+ last = i+1;
+- for (i = 0; i < last; i++)
++ for (i = 1; i < last; i++)
+ dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
+ descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
+ DMA_TO_DEVICE);
+
++ dma_unmap_single(&adapter->vdev->dev,
++ descs[0].fields.address,
++ descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
++ DMA_TO_DEVICE);
+ map_failed:
+ if (!firmware_has_feature(FW_FEATURE_CMO))
+ netdev_err(netdev, "tx: unable to map xmit buffer\n");
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Willem de Bruijn <willemb@google.com>
+Date: Sun, 23 Dec 2018 12:52:18 -0500
+Subject: ieee802154: lowpan_header_create check must check daddr
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 40c3ff6d5e0809505a067dd423c110c5658c478c ]
+
+Packet sockets may call dev_header_parse with NULL daddr. Make
+lowpan_header_ops.create fail.
+
+Fixes: 87a93e4eceb4 ("ieee802154: change needed headroom/tailroom")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Alexander Aring <aring@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/6lowpan/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/6lowpan/tx.c
++++ b/net/ieee802154/6lowpan/tx.c
+@@ -55,6 +55,9 @@ int lowpan_header_create(struct sk_buff
+ const u8 *daddr = _daddr;
+ struct lowpan_addr_info *info;
+
++ if (!daddr)
++ return -EINVAL;
++
+ /* TODO:
+ * if this package isn't ipv6 one, where should it be routed?
+ */
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 18 Dec 2018 21:17:44 -0800
+Subject: ipv6: explicitly initialize udp6_addr in udp_sock_create6()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit fb24274546310872eeeaf3d1d53799d8414aa0f2 ]
+
+syzbot reported the use of uninitialized udp6_addr::sin6_scope_id.
+We can just set ::sin6_scope_id to zero, as tunnels are unlikely
+to use an IPv6 address that needs a scope id and there is no
+interface to bind in this context.
+
+For net-next, it looks different as we have cfg->bind_ifindex there
+so we can probably call ipv6_iface_scope_id().
+
+Same for ::sin6_flowinfo, tunnels don't use it.
+
+Fixes: 8024e02879dd ("udp: Add udp_sock_create for UDP tunnels to open listener socket")
+Reported-by: syzbot+c56449ed3652e6720f30@syzkaller.appspotmail.com
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_udp_tunnel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_udp_tunnel.c
++++ b/net/ipv6/ip6_udp_tunnel.c
+@@ -15,7 +15,7 @@
+ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- struct sockaddr_in6 udp6_addr;
++ struct sockaddr_in6 udp6_addr = {};
+ int err;
+ struct socket *sock = NULL;
+
+@@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, st
+ goto error;
+
+ if (cfg->peer_udp_port) {
++ memset(&udp6_addr, 0, sizeof(udp6_addr));
+ udp6_addr.sin6_family = AF_INET6;
+ memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6,
+ sizeof(udp6_addr.sin6_addr));
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 2 Jan 2019 09:20:27 -0800
+Subject: isdn: fix kernel-infoleak in capi_unlocked_ioctl
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d63967e475ae10f286dbd35e189cb241e0b1f284 ]
+
+Since capi_ioctl() copies 64 bytes after calling
+capi20_get_manufacturer() we need to ensure to not leak
+information to user.
+
+BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+CPU: 0 PID: 11245 Comm: syz-executor633 Not tainted 4.20.0-rc7+ #2
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x173/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
+ kmsan_internal_check_memory+0x9d4/0xb00 mm/kmsan/kmsan.c:704
+ kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ capi_ioctl include/linux/uaccess.h:177 [inline]
+ capi_unlocked_ioctl+0x1a0b/0x1bf0 drivers/isdn/capi/capi.c:939
+ do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
+ ksys_ioctl fs/ioctl.c:713 [inline]
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718
+ __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x440019
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffdd4659fb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
+RDX: 0000000020000080 RSI: 00000000c0044306 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
+R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004018a0
+R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----data.i@capi_unlocked_ioctl
+Variable was created at:
+ capi_ioctl drivers/isdn/capi/capi.c:747 [inline]
+ capi_unlocked_ioctl+0x82/0x1bf0 drivers/isdn/capi/capi.c:939
+ do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
+
+Bytes 12-63 of 64 are uninitialized
+Memory access of size 64 starts at ffff88807ac5fce8
+Data copied to user address 0000000020000080
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/capi/kcapi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -851,7 +851,7 @@ u16 capi20_get_manufacturer(u32 contr, u
+ u16 ret;
+
+ if (contr == 0) {
+- strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
++ strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
+ return CAPI_NOERROR;
+ }
+
+@@ -859,7 +859,7 @@ u16 capi20_get_manufacturer(u32 contr, u
+
+ ctr = get_capi_ctr_by_nr(contr);
+ if (ctr && ctr->state == CAPI_CTR_RUNNING) {
+- strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
++ strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
+ ret = CAPI_NOERROR;
+ } else
+ ret = CAPI_REGNOTINSTALLED;
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 29 Dec 2018 13:56:38 -0800
+Subject: netrom: fix locking in nr_find_socket()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 7314f5480f3e37e570104dc5e0f28823ef849e72 ]
+
+nr_find_socket(), nr_find_peer() and nr_find_listener() lock the
+sock after finding it in the global list. However, the call path
+requires BH disabled for the sock lock consistently.
+
+Actually the locking is unnecessary at this point, we can just hold
+the sock refcnt to make sure it is not gone after we unlock the global
+list, and lock it later only when needed.
+
+Reported-and-tested-by: syzbot+f621cda8b7e598908efa@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax2
+ sk_for_each(s, &nr_list)
+ if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
+ s->sk_state == TCP_LISTEN) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ s = NULL;
+@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsig
+ struct nr_sock *nr = nr_sk(s);
+
+ if (nr->my_index == index && nr->my_id == id) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ }
+@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigne
+
+ if (nr->your_index == index && nr->your_id == id &&
+ !ax25cmp(&nr->dest_addr, dest)) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ }
+@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circu
+ if (i != 0 && j != 0) {
+ if ((sk=nr_find_socket(i, j)) == NULL)
+ break;
+- bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ id++;
+@@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ }
+
+ if (sk != NULL) {
++ bh_lock_sock(sk);
+ skb_reset_transport_header(skb);
+
+ if (frametype == NR_CONNACK && skb->len == 22)
+@@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+
+ ret = nr_process_rx_frame(sk, skb);
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ return ret;
+ }
+
+@@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, str
+ (make = nr_make_new(sk)) == NULL) {
+ nr_transmit_refusal(skb, 0);
+ if (sk)
+- bh_unlock_sock(sk);
++ sock_put(sk);
+ return 0;
+ }
+
++ bh_lock_sock(sk);
++
+ window = skb->data[20];
+
+ skb->sk = make;
+@@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ sk->sk_data_ready(sk);
+
+ bh_unlock_sock(sk);
++ sock_put(sk);
+
+ nr_insert_socket(make);
+
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Willem de Bruijn <willemb@google.com>
+Date: Sat, 22 Dec 2018 16:53:45 -0500
+Subject: packet: validate address length if non-zero
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 6b8d95f1795c42161dc0984b6863e95d6acf24ed ]
+
+Validate packet socket address length if a length is given. Zero
+length is equivalent to not setting an address.
+
+Fixes: 99137b7888f4 ("packet: validate address length")
+Reported-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2511,7 +2511,7 @@ static int tpacket_snd(struct packet_soc
+ sll_addr)))
+ goto out;
+ proto = saddr->sll_protocol;
+- addr = saddr->sll_addr;
++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+ goto out;
+@@ -2680,7 +2680,7 @@ static int packet_snd(struct socket *soc
+ if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
+ goto out;
+ proto = saddr->sll_protocol;
+- addr = saddr->sll_addr;
++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+ goto out;
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 21 Dec 2018 12:06:59 -0500
+Subject: packet: validate address length
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 99137b7888f4058087895d035d81c6b2d31015c5 ]
+
+Packet sockets with SOCK_DGRAM may pass an address for use in
+dev_hard_header. Ensure that it is of sufficient length.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2513,6 +2513,8 @@ static int tpacket_snd(struct packet_soc
+ proto = saddr->sll_protocol;
+ addr = saddr->sll_addr;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
++ if (addr && dev && saddr->sll_halen < dev->addr_len)
++ goto out;
+ }
+
+ err = -ENXIO;
+@@ -2680,6 +2682,8 @@ static int packet_snd(struct socket *soc
+ proto = saddr->sll_protocol;
+ addr = saddr->sll_addr;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
++ if (addr && dev && saddr->sll_halen < dev->addr_len)
++ goto out;
+ }
+
+ err = -ENXIO;
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 10 Dec 2018 18:00:52 +0800
+Subject: sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ]
+
+syzbot reported a kernel-infoleak, which is caused by an uninitialized
+field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event().
+The call trace is as below:
+
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
+ CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+ Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x32d/0x480 lib/dump_stack.c:113
+ kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
+ kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
+ kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
+ _copy_to_user+0x19a/0x230 lib/usercopy.c:33
+ copy_to_user include/linux/uaccess.h:183 [inline]
+ sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
+ sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
+ sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
+ __sys_getsockopt+0x489/0x550 net/socket.c:1939
+ __do_sys_getsockopt net/socket.c:1950 [inline]
+ __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
+ __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
+ do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+
+sin6_flowinfo is not really used by SCTP, so it will be fixed by simply
+setting it to 0.
+
+The issue exists since very beginning.
+Thanks Alexander for the reproducer provided.
+
+Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct n
+ if (addr) {
+ addr->a.v6.sin6_family = AF_INET6;
+ addr->a.v6.sin6_port = 0;
++ addr->a.v6.sin6_flowinfo = 0;
+ addr->a.v6.sin6_addr = ifa->addr;
+ addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
+ addr->valid = 1;
ipv4-fix-potential-spectre-v1-vulnerability.patch
net-core-fix-spectre-v1-vulnerability.patch
phonet-af_phonet-fix-spectre-v1-vulnerability.patch
+ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch
+ibmveth-fix-dma-unmap-error-in-ibmveth_xmit_start-error-path.patch
+ieee802154-lowpan_header_create-check-must-check-daddr.patch
+ipv6-explicitly-initialize-udp6_addr-in-udp_sock_create6.patch
+isdn-fix-kernel-infoleak-in-capi_unlocked_ioctl.patch
+netrom-fix-locking-in-nr_find_socket.patch
+packet-validate-address-length.patch
+packet-validate-address-length-if-non-zero.patch
+sctp-initialize-sin6_flowinfo-for-ipv6-addrs-in-sctp_inet6addr_event.patch
+vhost-make-sure-used-idx-is-seen-before-log-in-vhost_add_used_n.patch
+vsock-send-reset-control-packet-when-socket-is-partially-bound.patch
+xen-netfront-tolerate-frags-with-no-data.patch
+gro_cell-add-napi_disable-in-gro_cells_destroy.patch
+sock-make-sock-sk_stamp-thread-safe.patch
--- /dev/null
+From foo@baz Fri Jan 4 20:01:52 CET 2019
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+Date: Thu, 27 Dec 2018 18:55:09 -0800
+Subject: sock: Make sock->sk_stamp thread-safe
+
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+
+[ Upstream commit 3a0ed3e9619738067214871e9cb826fa23b2ddb9 ]
+
+Al Viro mentioned (Message-ID
+<20170626041334.GZ10672@ZenIV.linux.org.uk>)
+that there is probably a race condition
+lurking in accesses of sk_stamp on 32-bit machines.
+
+sock->sk_stamp is of type ktime_t which is always an s64.
+On a 32 bit architecture, we might run into situations of
+unsafe access as the access to the field becomes non atomic.
+
+Use seqlocks for synchronization.
+This allows us to avoid using spinlocks for readers as
+readers do not need mutual exclusion.
+
+Another approach to solve this is to require sk_lock for all
+modifications of the timestamps. The current approach allows
+for timestamps to have their own lock: sk_stamp_lock.
+This allows for the patch to not compete with already
+existing critical sections, and side effects are limited
+to the paths in the patch.
+
+The addition of the new field maintains the data locality
+optimizations from
+commit 9115e8cd2a0c ("net: reorganize struct sock for better data
+locality")
+
+Note that all the instances of the sk_stamp accesses
+are either through the ioctl or the syscall recvmsg.
+
+Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 36 ++++++++++++++++++++++++++++++++++--
+ net/compat.c | 15 +++++++++------
+ net/core/sock.c | 3 +++
+ net/sunrpc/svcsock.c | 2 +-
+ 4 files changed, 47 insertions(+), 9 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -299,6 +299,7 @@ struct cg_proto;
+ * @sk_filter: socket filtering instructions
+ * @sk_timer: sock cleanup timer
+ * @sk_stamp: time stamp of last packet received
++ * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
+ * @sk_tsflags: SO_TIMESTAMPING socket options
+ * @sk_tskey: counter to disambiguate concurrent tstamp requests
+ * @sk_socket: Identd and reporting IO signals
+@@ -434,6 +435,9 @@ struct sock {
+ long sk_sndtimeo;
+ struct timer_list sk_timer;
+ ktime_t sk_stamp;
++#if BITS_PER_LONG==32
++ seqlock_t sk_stamp_seq;
++#endif
+ u16 sk_tsflags;
+ u32 sk_tskey;
+ struct socket *sk_socket;
+@@ -2146,6 +2150,34 @@ static inline void sk_drops_add(struct s
+ atomic_add(segs, &sk->sk_drops);
+ }
+
++static inline ktime_t sock_read_timestamp(struct sock *sk)
++{
++#if BITS_PER_LONG==32
++ unsigned int seq;
++ ktime_t kt;
++
++ do {
++ seq = read_seqbegin(&sk->sk_stamp_seq);
++ kt = sk->sk_stamp;
++ } while (read_seqretry(&sk->sk_stamp_seq, seq));
++
++ return kt;
++#else
++ return sk->sk_stamp;
++#endif
++}
++
++static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
++{
++#if BITS_PER_LONG==32
++ write_seqlock(&sk->sk_stamp_seq);
++ sk->sk_stamp = kt;
++ write_sequnlock(&sk->sk_stamp_seq);
++#else
++ sk->sk_stamp = kt;
++#endif
++}
++
+ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+ struct sk_buff *skb);
+ void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
+@@ -2170,7 +2202,7 @@ sock_recv_timestamp(struct msghdr *msg,
+ (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
+ __sock_recv_timestamp(msg, sk, skb);
+ else
+- sk->sk_stamp = kt;
++ sock_write_timestamp(sk, kt);
+
+ if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
+ __sock_recv_wifi_status(msg, sk, skb);
+@@ -2190,7 +2222,7 @@ static inline void sock_recv_ts_and_drop
+ if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
+ __sock_recv_ts_and_drops(msg, sk, skb);
+ else
+- sk->sk_stamp = skb->tstamp;
++ sock_write_timestamp(sk, skb->tstamp);
+ }
+
+ void __sock_tx_timestamp(const struct sock *sk, __u8 *tx_flags);
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -443,12 +443,14 @@ int compat_sock_get_timestamp(struct soc
+ err = -ENOENT;
+ if (!sock_flag(sk, SOCK_TIMESTAMP))
+ sock_enable_timestamp(sk, SOCK_TIMESTAMP);
+- tv = ktime_to_timeval(sk->sk_stamp);
++ tv = ktime_to_timeval(sock_read_timestamp(sk));
++
+ if (tv.tv_sec == -1)
+ return err;
+ if (tv.tv_sec == 0) {
+- sk->sk_stamp = ktime_get_real();
+- tv = ktime_to_timeval(sk->sk_stamp);
++ ktime_t kt = ktime_get_real();
++ sock_write_timestamp(sk, kt);
++ tv = ktime_to_timeval(kt);
+ }
+ err = 0;
+ if (put_user(tv.tv_sec, &ctv->tv_sec) ||
+@@ -471,12 +473,13 @@ int compat_sock_get_timestampns(struct s
+ err = -ENOENT;
+ if (!sock_flag(sk, SOCK_TIMESTAMP))
+ sock_enable_timestamp(sk, SOCK_TIMESTAMP);
+- ts = ktime_to_timespec(sk->sk_stamp);
++ ts = ktime_to_timespec(sock_read_timestamp(sk));
+ if (ts.tv_sec == -1)
+ return err;
+ if (ts.tv_sec == 0) {
+- sk->sk_stamp = ktime_get_real();
+- ts = ktime_to_timespec(sk->sk_stamp);
++ ktime_t kt = ktime_get_real();
++ sock_write_timestamp(sk, kt);
++ ts = ktime_to_timespec(kt);
+ }
+ err = 0;
+ if (put_user(ts.tv_sec, &ctv->tv_sec) ||
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2423,6 +2423,9 @@ void sock_init_data(struct socket *sock,
+ sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+
+ sk->sk_stamp = ktime_set(-1L, 0);
++#if BITS_PER_LONG==32
++ seqlock_init(&sk->sk_stamp_seq);
++#endif
+
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ sk->sk_napi_id = 0;
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -614,7 +614,7 @@ static int svc_udp_recvfrom(struct svc_r
+ /* Don't enable netstamp, sunrpc doesn't
+ need that much accuracy */
+ }
+- svsk->sk_sk->sk_stamp = skb->tstamp;
++ sock_write_timestamp(svsk->sk_sk, skb->tstamp);
+ set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
+
+ len = skb->len - sizeof(struct udphdr);
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 13 Dec 2018 10:53:37 +0800
+Subject: vhost: make sure used idx is seen before log in vhost_add_used_n()
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 841df922417eb82c835e93d4b93eb6a68c99d599 ]
+
+We miss a write barrier that guarantees used idx is updated and seen
+before log. This will let userspace sync and copy used ring before
+used idx is update. Fix this by adding a barrier before log_write().
+
+Fixes: 8dd014adfea6f ("vhost-net: mergeable buffers support")
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1550,6 +1550,8 @@ int vhost_add_used_n(struct vhost_virtqu
+ return -EFAULT;
+ }
+ if (unlikely(vq->log_used)) {
++ /* Make sure used idx is seen before log. */
++ smp_wmb();
+ /* Log used index update. */
+ log_write(vq->log_base,
+ vq->log_addr + offsetof(struct vring_used, idx),
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Jorgen Hansen <jhansen@vmware.com>
+Date: Tue, 18 Dec 2018 00:34:06 -0800
+Subject: VSOCK: Send reset control packet when socket is partially bound
+
+From: Jorgen Hansen <jhansen@vmware.com>
+
+[ Upstream commit a915b982d8f5e4295f64b8dd37ce753874867e88 ]
+
+If a server side socket is bound to an address, but not in the listening
+state yet, incoming connection requests should receive a reset control
+packet in response. However, the function used to send the reset
+silently drops the reset packet if the sending socket isn't bound
+to a remote address (as is the case for a bound socket not yet in
+the listening state). This change fixes this by using the src
+of the incoming packet as destination for the reset packet in
+this case.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Adit Ranadive <aditr@vmware.com>
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Signed-off-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vmci_transport.c | 67 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 50 insertions(+), 17 deletions(-)
+
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -273,6 +273,31 @@ vmci_transport_send_control_pkt_bh(struc
+ }
+
+ static int
++vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src,
++ struct sockaddr_vm *dst,
++ enum vmci_transport_packet_type type,
++ u64 size,
++ u64 mode,
++ struct vmci_transport_waiting_info *wait,
++ u16 proto,
++ struct vmci_handle handle)
++{
++ struct vmci_transport_packet *pkt;
++ int err;
++
++ pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
++ if (!pkt)
++ return -ENOMEM;
++
++ err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size,
++ mode, wait, proto, handle,
++ true);
++ kfree(pkt);
++
++ return err;
++}
++
++static int
+ vmci_transport_send_control_pkt(struct sock *sk,
+ enum vmci_transport_packet_type type,
+ u64 size,
+@@ -281,9 +306,7 @@ vmci_transport_send_control_pkt(struct s
+ u16 proto,
+ struct vmci_handle handle)
+ {
+- struct vmci_transport_packet *pkt;
+ struct vsock_sock *vsk;
+- int err;
+
+ vsk = vsock_sk(sk);
+
+@@ -293,17 +316,10 @@ vmci_transport_send_control_pkt(struct s
+ if (!vsock_addr_bound(&vsk->remote_addr))
+ return -EINVAL;
+
+- pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
+- if (!pkt)
+- return -ENOMEM;
+-
+- err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr,
+- &vsk->remote_addr, type, size,
+- mode, wait, proto, handle,
+- true);
+- kfree(pkt);
+-
+- return err;
++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr,
++ &vsk->remote_addr,
++ type, size, mode,
++ wait, proto, handle);
+ }
+
+ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
+@@ -321,12 +337,29 @@ static int vmci_transport_send_reset_bh(
+ static int vmci_transport_send_reset(struct sock *sk,
+ struct vmci_transport_packet *pkt)
+ {
++ struct sockaddr_vm *dst_ptr;
++ struct sockaddr_vm dst;
++ struct vsock_sock *vsk;
++
+ if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST)
+ return 0;
+- return vmci_transport_send_control_pkt(sk,
+- VMCI_TRANSPORT_PACKET_TYPE_RST,
+- 0, 0, NULL, VSOCK_PROTO_INVALID,
+- VMCI_INVALID_HANDLE);
++
++ vsk = vsock_sk(sk);
++
++ if (!vsock_addr_bound(&vsk->local_addr))
++ return -EINVAL;
++
++ if (vsock_addr_bound(&vsk->remote_addr)) {
++ dst_ptr = &vsk->remote_addr;
++ } else {
++ vsock_addr_init(&dst, pkt->dg.src.context,
++ pkt->src_port);
++ dst_ptr = &dst;
++ }
++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr,
++ VMCI_TRANSPORT_PACKET_TYPE_RST,
++ 0, 0, NULL, VSOCK_PROTO_INVALID,
++ VMCI_INVALID_HANDLE);
+ }
+
+ static int vmci_transport_send_negotiate(struct sock *sk, size_t size)
--- /dev/null
+From foo@baz Sat Jan 5 08:30:28 CET 2019
+From: Juergen Gross <jgross@suse.com>
+Date: Tue, 18 Dec 2018 16:06:19 +0100
+Subject: xen/netfront: tolerate frags with no data
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit d81c5054a5d1d4999c7cdead7636b6cd4af83d36 ]
+
+At least old Xen net backends seem to send frags with no real data
+sometimes. In case such a fragment happens to occur with the frag limit
+already reached the frontend will BUG currently even if this situation
+is easily recoverable.
+
+Modify the BUG_ON() condition accordingly.
+
+Tested-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -889,7 +889,7 @@ static RING_IDX xennet_fill_frags(struct
+ if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
+ unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+
+- BUG_ON(pull_to <= skb_headlen(skb));
++ BUG_ON(pull_to < skb_headlen(skb));
+ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ }
+ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
