4.14-stable patches

added patches:
	amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch
	amd-xgbe-improve-kr-auto-negotiation-and-training.patch
	amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch
	bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch
	ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch
	ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch
	keys-dns-limit-the-length-of-option-strings.patch
	l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
	llc-delete-timers-synchronously-in-llc_sk_free.patch
	llc-fix-null-pointer-deref-for-sock_zapped.patch
	llc-hold-llc_sap-before-release_sock.patch
	net-af_packet-fix-race-in-packet_-r-t-x_ring.patch
	net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch
	net-fix-deadlock-while-clearing-neighbor-proxy-table.patch
	net-sched-ife-check-on-metadata-length.patch
	net-sched-ife-handle-malformed-tlv-length.patch
	net-sched-ife-signal-not-finding-metaid.patch
	net-smc-fix-shutdown-in-state-smc_listen.patch
	net-validate-attribute-sizes-in-neigh_dump_table.patch
	packet-fix-bitfield-update-race.patch
	pppoe-check-sockaddr-length-in-pppoe_connect.patch
	sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch
	strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch
	strparser-fix-incorrect-strp-need_bytes-value.patch
	tcp-clear-tp-packets_out-when-purging-write-queue.patch
	tcp-don-t-read-out-of-bounds-opsize.patch
	tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch
	team-avoid-adding-twice-the-same-option-to-the-event-list.patch
	team-fix-netconsole-setup-over-team.patch
	tipc-add-policy-for-tipc_nla_net_addr.patch
	virtio_net-fix-adding-vids-on-big-endian.patch
	virtio_net-split-out-ctrl-buffer.patch
	vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch

diff --git a/queue-4.14/amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch b/queue-4.14/amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch
new file mode 100644 (file)
index 0000000..bbad2bb
--- /dev/null
+++ b/queue-4.14/amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch
@@ -0,0 +1,98 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Mon, 23 Apr 2018 11:43:08 -0500
+Subject: amd-xgbe: Add pre/post auto-negotiation phy hooks
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+
+[ Upstream commit 4d945663a6a0acf3cbe45940503f2eb9584bfee7 ]
+
+Add hooks to the driver auto-negotiation (AN) flow to allow the different
+phy implementations to perform any steps necessary to improve AN.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c |   16 ++++++++++++++--
+ drivers/net/ethernet/amd/xgbe/xgbe.h      |    5 +++++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -437,6 +437,9 @@ static void xgbe_an73_disable(struct xgb
+ 
+ static void xgbe_an_restart(struct xgbe_prv_data *pdata)
+ {
++      if (pdata->phy_if.phy_impl.an_pre)
++              pdata->phy_if.phy_impl.an_pre(pdata);
++
+       switch (pdata->an_mode) {
+       case XGBE_AN_MODE_CL73:
+       case XGBE_AN_MODE_CL73_REDRV:
+@@ -453,6 +456,9 @@ static void xgbe_an_restart(struct xgbe_
+ 
+ static void xgbe_an_disable(struct xgbe_prv_data *pdata)
+ {
++      if (pdata->phy_if.phy_impl.an_post)
++              pdata->phy_if.phy_impl.an_post(pdata);
++
+       switch (pdata->an_mode) {
+       case XGBE_AN_MODE_CL73:
+       case XGBE_AN_MODE_CL73_REDRV:
+@@ -637,11 +643,11 @@ static enum xgbe_an xgbe_an73_incompat_l
+                       return XGBE_AN_NO_LINK;
+       }
+ 
+-      xgbe_an73_disable(pdata);
++      xgbe_an_disable(pdata);
+ 
+       xgbe_switch_mode(pdata);
+ 
+-      xgbe_an73_restart(pdata);
++      xgbe_an_restart(pdata);
+ 
+       return XGBE_AN_INCOMPAT_LINK;
+ }
+@@ -820,6 +826,9 @@ static void xgbe_an37_state_machine(stru
+               pdata->an_result = pdata->an_state;
+               pdata->an_state = XGBE_AN_READY;
+ 
++              if (pdata->phy_if.phy_impl.an_post)
++                      pdata->phy_if.phy_impl.an_post(pdata);
++
+               netif_dbg(pdata, link, pdata->netdev, "CL37 AN result: %s\n",
+                         xgbe_state_as_string(pdata->an_result));
+       }
+@@ -903,6 +912,9 @@ again:
+               pdata->kx_state = XGBE_RX_BPA;
+               pdata->an_start = 0;
+ 
++              if (pdata->phy_if.phy_impl.an_post)
++                      pdata->phy_if.phy_impl.an_post(pdata);
++
+               netif_dbg(pdata, link, pdata->netdev, "CL73 AN result: %s\n",
+                         xgbe_state_as_string(pdata->an_result));
+       }
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -833,6 +833,7 @@ struct xgbe_hw_if {
+ /* This structure represents implementation specific routines for an
+  * implementation of a PHY. All routines are required unless noted below.
+  *   Optional routines:
++ *     an_pre, an_post
+  *     kr_training_pre, kr_training_post
+  */
+ struct xgbe_phy_impl_if {
+@@ -875,6 +876,10 @@ struct xgbe_phy_impl_if {
+       /* Process results of auto-negotiation */
+       enum xgbe_mode (*an_outcome)(struct xgbe_prv_data *);
+ 
++      /* Pre/Post auto-negotiation support */
++      void (*an_pre)(struct xgbe_prv_data *);
++      void (*an_post)(struct xgbe_prv_data *);
++
+       /* Pre/Post KR training enablement support */
+       void (*kr_training_pre)(struct xgbe_prv_data *);
+       void (*kr_training_post)(struct xgbe_prv_data *);

diff --git a/queue-4.14/amd-xgbe-improve-kr-auto-negotiation-and-training.patch b/queue-4.14/amd-xgbe-improve-kr-auto-negotiation-and-training.patch
new file mode 100644 (file)
index 0000000..928eb48
--- /dev/null
+++ b/queue-4.14/amd-xgbe-improve-kr-auto-negotiation-and-training.patch
@@ -0,0 +1,348 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Mon, 23 Apr 2018 11:43:17 -0500
+Subject: amd-xgbe: Improve KR auto-negotiation and training
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+
+[ Upstream commit 96f4d430c507ed4856048c2dc9c1a2ea5b5e74e4 ]
+
+Update xgbe-phy-v2.c to make use of the auto-negotiation (AN) phy hooks
+to improve the ability to successfully complete Clause 73 AN when running
+at 10gbps.  Hardware can sometimes have issues with CDR lock when the
+AN DME page exchange is being performed.
+
+The AN and KR training hooks are used as follows:
+- The pre AN hook is used to disable CDR tracking in the PHY so that the
+  DME page exchange can be successfully and consistently completed.
+- The post KR training hook is used to re-enable the CDR tracking so that
+  KR training can successfully complete.
+- The post AN hook is used to check for an unsuccessful AN which will
+  increase a CDR tracking enablement delay (up to a maximum value).
+
+Add two debugfs entries to allow control over use of the CDR tracking
+workaround.  The debugfs entries allow the CDR tracking workaround to
+be disabled and determine whether to re-enable CDR tracking before or
+after link training has been initiated.
+
+Also, with these changes the receiver reset cycle that is performed during
+the link status check can be performed less often.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-common.h  |    8 +
+ drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c |   16 +++
+ drivers/net/ethernet/amd/xgbe/xgbe-main.c    |    1 
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c    |    8 +
+ drivers/net/ethernet/amd/xgbe/xgbe-pci.c     |    2 
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c  |  125 ++++++++++++++++++++++++++-
+ drivers/net/ethernet/amd/xgbe/xgbe.h         |    4 
+ 7 files changed, 160 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+@@ -1321,6 +1321,10 @@
+ #define MDIO_VEND2_AN_STAT            0x8002
+ #endif
+ 
++#ifndef MDIO_VEND2_PMA_CDR_CONTROL
++#define MDIO_VEND2_PMA_CDR_CONTROL    0x8056
++#endif
++
+ #ifndef MDIO_CTRL1_SPEED1G
+ #define MDIO_CTRL1_SPEED1G            (MDIO_CTRL1_SPEED10G & ~BMCR_SPEED100)
+ #endif
+@@ -1369,6 +1373,10 @@
+ #define XGBE_AN_CL37_TX_CONFIG_MASK   0x08
+ #define XGBE_AN_CL37_MII_CTRL_8BIT    0x0100
+ 
++#define XGBE_PMA_CDR_TRACK_EN_MASK    0x01
++#define XGBE_PMA_CDR_TRACK_EN_OFF     0x00
++#define XGBE_PMA_CDR_TRACK_EN_ON      0x01
++
+ /* Bit setting and getting macros
+  *  The get macro will extract the current bit field value from within
+  *  the variable
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c
+@@ -519,6 +519,22 @@ void xgbe_debugfs_init(struct xgbe_prv_d
+                                  "debugfs_create_file failed\n");
+       }
+ 
++      if (pdata->vdata->an_cdr_workaround) {
++              pfile = debugfs_create_bool("an_cdr_workaround", 0600,
++                                          pdata->xgbe_debugfs,
++                                          &pdata->debugfs_an_cdr_workaround);
++              if (!pfile)
++                      netdev_err(pdata->netdev,
++                                 "debugfs_create_bool failed\n");
++
++              pfile = debugfs_create_bool("an_cdr_track_early", 0600,
++                                          pdata->xgbe_debugfs,
++                                          &pdata->debugfs_an_cdr_track_early);
++              if (!pfile)
++                      netdev_err(pdata->netdev,
++                                 "debugfs_create_bool failed\n");
++      }
++
+       kfree(buf);
+ }
+ 
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
+@@ -349,6 +349,7 @@ int xgbe_config_netdev(struct xgbe_prv_d
+       XGMAC_SET_BITS(pdata->rss_options, MAC_RSSCR, UDP4TE, 1);
+ 
+       /* Call MDIO/PHY initialization routine */
++      pdata->debugfs_an_cdr_workaround = pdata->vdata->an_cdr_workaround;
+       ret = pdata->phy_if.phy_init(pdata);
+       if (ret)
+               return ret;
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -432,6 +432,8 @@ static void xgbe_an73_disable(struct xgb
+       xgbe_an73_set(pdata, false, false);
+       xgbe_an73_disable_interrupts(pdata);
+ 
++      pdata->an_start = 0;
++
+       netif_dbg(pdata, link, pdata->netdev, "CL73 AN disabled\n");
+ }
+ 
+@@ -511,11 +513,11 @@ static enum xgbe_an xgbe_an73_tx_trainin
+               XMDIO_WRITE(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_10GBR_PMD_CTRL,
+                           reg);
+ 
+-              if (pdata->phy_if.phy_impl.kr_training_post)
+-                      pdata->phy_if.phy_impl.kr_training_post(pdata);
+-
+               netif_dbg(pdata, link, pdata->netdev,
+                         "KR training initiated\n");
++
++              if (pdata->phy_if.phy_impl.kr_training_post)
++                      pdata->phy_if.phy_impl.kr_training_post(pdata);
+       }
+ 
+       return XGBE_AN_PAGE_RECEIVED;
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c
+@@ -456,6 +456,7 @@ static const struct xgbe_version_data xg
+       .irq_reissue_support            = 1,
+       .tx_desc_prefetch               = 5,
+       .rx_desc_prefetch               = 5,
++      .an_cdr_workaround              = 1,
+ };
+ 
+ static const struct xgbe_version_data xgbe_v2b = {
+@@ -470,6 +471,7 @@ static const struct xgbe_version_data xg
+       .irq_reissue_support            = 1,
+       .tx_desc_prefetch               = 5,
+       .rx_desc_prefetch               = 5,
++      .an_cdr_workaround              = 1,
+ };
+ 
+ static const struct pci_device_id xgbe_pci_table[] = {
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -147,6 +147,14 @@
+ /* Rate-change complete wait/retry count */
+ #define XGBE_RATECHANGE_COUNT         500
+ 
++/* CDR delay values for KR support (in usec) */
++#define XGBE_CDR_DELAY_INIT           10000
++#define XGBE_CDR_DELAY_INC            10000
++#define XGBE_CDR_DELAY_MAX            100000
++
++/* RRC frequency during link status check */
++#define XGBE_RRC_FREQUENCY            10
++
+ enum xgbe_port_mode {
+       XGBE_PORT_MODE_RSVD = 0,
+       XGBE_PORT_MODE_BACKPLANE,
+@@ -355,6 +363,10 @@ struct xgbe_phy_data {
+       unsigned int redrv_addr;
+       unsigned int redrv_lane;
+       unsigned int redrv_model;
++
++      /* KR AN support */
++      unsigned int phy_cdr_notrack;
++      unsigned int phy_cdr_delay;
+ };
+ 
+ /* I2C, MDIO and GPIO lines are muxed, so only one device at a time */
+@@ -2361,7 +2373,7 @@ static int xgbe_phy_link_status(struct x
+               return 1;
+ 
+       /* No link, attempt a receiver reset cycle */
+-      if (phy_data->rrc_count++) {
++      if (phy_data->rrc_count++ > XGBE_RRC_FREQUENCY) {
+               phy_data->rrc_count = 0;
+               xgbe_phy_rrc(pdata);
+       }
+@@ -2669,6 +2681,103 @@ static bool xgbe_phy_port_enabled(struct
+       return true;
+ }
+ 
++static void xgbe_phy_cdr_track(struct xgbe_prv_data *pdata)
++{
++      struct xgbe_phy_data *phy_data = pdata->phy_data;
++
++      if (!pdata->debugfs_an_cdr_workaround)
++              return;
++
++      if (!phy_data->phy_cdr_notrack)
++              return;
++
++      usleep_range(phy_data->phy_cdr_delay,
++                   phy_data->phy_cdr_delay + 500);
++
++      XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_CDR_CONTROL,
++                       XGBE_PMA_CDR_TRACK_EN_MASK,
++                       XGBE_PMA_CDR_TRACK_EN_ON);
++
++      phy_data->phy_cdr_notrack = 0;
++}
++
++static void xgbe_phy_cdr_notrack(struct xgbe_prv_data *pdata)
++{
++      struct xgbe_phy_data *phy_data = pdata->phy_data;
++
++      if (!pdata->debugfs_an_cdr_workaround)
++              return;
++
++      if (phy_data->phy_cdr_notrack)
++              return;
++
++      XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_CDR_CONTROL,
++                       XGBE_PMA_CDR_TRACK_EN_MASK,
++                       XGBE_PMA_CDR_TRACK_EN_OFF);
++
++      xgbe_phy_rrc(pdata);
++
++      phy_data->phy_cdr_notrack = 1;
++}
++
++static void xgbe_phy_kr_training_post(struct xgbe_prv_data *pdata)
++{
++      if (!pdata->debugfs_an_cdr_track_early)
++              xgbe_phy_cdr_track(pdata);
++}
++
++static void xgbe_phy_kr_training_pre(struct xgbe_prv_data *pdata)
++{
++      if (pdata->debugfs_an_cdr_track_early)
++              xgbe_phy_cdr_track(pdata);
++}
++
++static void xgbe_phy_an_post(struct xgbe_prv_data *pdata)
++{
++      struct xgbe_phy_data *phy_data = pdata->phy_data;
++
++      switch (pdata->an_mode) {
++      case XGBE_AN_MODE_CL73:
++      case XGBE_AN_MODE_CL73_REDRV:
++              if (phy_data->cur_mode != XGBE_MODE_KR)
++                      break;
++
++              xgbe_phy_cdr_track(pdata);
++
++              switch (pdata->an_result) {
++              case XGBE_AN_READY:
++              case XGBE_AN_COMPLETE:
++                      break;
++              default:
++                      if (phy_data->phy_cdr_delay < XGBE_CDR_DELAY_MAX)
++                              phy_data->phy_cdr_delay += XGBE_CDR_DELAY_INC;
++                      else
++                              phy_data->phy_cdr_delay = XGBE_CDR_DELAY_INIT;
++                      break;
++              }
++              break;
++      default:
++              break;
++      }
++}
++
++static void xgbe_phy_an_pre(struct xgbe_prv_data *pdata)
++{
++      struct xgbe_phy_data *phy_data = pdata->phy_data;
++
++      switch (pdata->an_mode) {
++      case XGBE_AN_MODE_CL73:
++      case XGBE_AN_MODE_CL73_REDRV:
++              if (phy_data->cur_mode != XGBE_MODE_KR)
++                      break;
++
++              xgbe_phy_cdr_notrack(pdata);
++              break;
++      default:
++              break;
++      }
++}
++
+ static void xgbe_phy_stop(struct xgbe_prv_data *pdata)
+ {
+       struct xgbe_phy_data *phy_data = pdata->phy_data;
+@@ -2680,6 +2789,9 @@ static void xgbe_phy_stop(struct xgbe_pr
+       xgbe_phy_sfp_reset(phy_data);
+       xgbe_phy_sfp_mod_absent(pdata);
+ 
++      /* Reset CDR support */
++      xgbe_phy_cdr_track(pdata);
++
+       /* Power off the PHY */
+       xgbe_phy_power_off(pdata);
+ 
+@@ -2712,6 +2824,9 @@ static int xgbe_phy_start(struct xgbe_pr
+       /* Start in highest supported mode */
+       xgbe_phy_set_mode(pdata, phy_data->start_mode);
+ 
++      /* Reset CDR support */
++      xgbe_phy_cdr_track(pdata);
++
+       /* After starting the I2C controller, we can check for an SFP */
+       switch (phy_data->port_mode) {
+       case XGBE_PORT_MODE_SFP:
+@@ -3019,6 +3134,8 @@ static int xgbe_phy_init(struct xgbe_prv
+               }
+       }
+ 
++      phy_data->phy_cdr_delay = XGBE_CDR_DELAY_INIT;
++
+       /* Register for driving external PHYs */
+       mii = devm_mdiobus_alloc(pdata->dev);
+       if (!mii) {
+@@ -3071,4 +3188,10 @@ void xgbe_init_function_ptrs_phy_v2(stru
+       phy_impl->an_advertising        = xgbe_phy_an_advertising;
+ 
+       phy_impl->an_outcome            = xgbe_phy_an_outcome;
++
++      phy_impl->an_pre                = xgbe_phy_an_pre;
++      phy_impl->an_post               = xgbe_phy_an_post;
++
++      phy_impl->kr_training_pre       = xgbe_phy_kr_training_pre;
++      phy_impl->kr_training_post      = xgbe_phy_kr_training_post;
+ }
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -994,6 +994,7 @@ struct xgbe_version_data {
+       unsigned int irq_reissue_support;
+       unsigned int tx_desc_prefetch;
+       unsigned int rx_desc_prefetch;
++      unsigned int an_cdr_workaround;
+ };
+ 
+ struct xgbe_vxlan_data {
+@@ -1262,6 +1263,9 @@ struct xgbe_prv_data {
+       unsigned int debugfs_xprop_reg;
+ 
+       unsigned int debugfs_xi2c_reg;
++
++      bool debugfs_an_cdr_workaround;
++      bool debugfs_an_cdr_track_early;
+ };
+ 
+ /* Function prototypes*/

diff --git a/queue-4.14/amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch b/queue-4.14/amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch
new file mode 100644 (file)
index 0000000..8f6e3cd
--- /dev/null
+++ b/queue-4.14/amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch
@@ -0,0 +1,137 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Mon, 23 Apr 2018 11:43:34 -0500
+Subject: amd-xgbe: Only use the SFP supported transceiver signals
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+
+[ Upstream commit 117df655f8ed51adb6e6b163812a06ebeae9f453 ]
+
+The SFP eeprom indicates the transceiver signals (Rx LOS, Tx Fault, etc.)
+that it supports.  Update the driver to include checking the eeprom data
+when deciding whether to use a transceiver signal.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c |   71 +++++++++++++++++++++-------
+ 1 file changed, 54 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -253,6 +253,10 @@ enum xgbe_sfp_speed {
+ #define XGBE_SFP_BASE_VENDOR_SN                       4
+ #define XGBE_SFP_BASE_VENDOR_SN_LEN           16
+ 
++#define XGBE_SFP_EXTD_OPT1                    1
++#define XGBE_SFP_EXTD_OPT1_RX_LOS             BIT(1)
++#define XGBE_SFP_EXTD_OPT1_TX_FAULT           BIT(3)
++
+ #define XGBE_SFP_EXTD_DIAG                    28
+ #define XGBE_SFP_EXTD_DIAG_ADDR_CHANGE                BIT(2)
+ 
+@@ -332,6 +336,7 @@ struct xgbe_phy_data {
+ 
+       unsigned int sfp_gpio_address;
+       unsigned int sfp_gpio_mask;
++      unsigned int sfp_gpio_inputs;
+       unsigned int sfp_gpio_rx_los;
+       unsigned int sfp_gpio_tx_fault;
+       unsigned int sfp_gpio_mod_absent;
+@@ -986,6 +991,49 @@ static void xgbe_phy_sfp_external_phy(st
+       phy_data->sfp_phy_avail = 1;
+ }
+ 
++static bool xgbe_phy_check_sfp_rx_los(struct xgbe_phy_data *phy_data)
++{
++      u8 *sfp_extd = phy_data->sfp_eeprom.extd;
++
++      if (!(sfp_extd[XGBE_SFP_EXTD_OPT1] & XGBE_SFP_EXTD_OPT1_RX_LOS))
++              return false;
++
++      if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_RX_LOS)
++              return false;
++
++      if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_rx_los))
++              return true;
++
++      return false;
++}
++
++static bool xgbe_phy_check_sfp_tx_fault(struct xgbe_phy_data *phy_data)
++{
++      u8 *sfp_extd = phy_data->sfp_eeprom.extd;
++
++      if (!(sfp_extd[XGBE_SFP_EXTD_OPT1] & XGBE_SFP_EXTD_OPT1_TX_FAULT))
++              return false;
++
++      if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_TX_FAULT)
++              return false;
++
++      if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_tx_fault))
++              return true;
++
++      return false;
++}
++
++static bool xgbe_phy_check_sfp_mod_absent(struct xgbe_phy_data *phy_data)
++{
++      if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_MOD_ABSENT)
++              return false;
++
++      if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_mod_absent))
++              return true;
++
++      return false;
++}
++
+ static bool xgbe_phy_belfuse_parse_quirks(struct xgbe_prv_data *pdata)
+ {
+       struct xgbe_phy_data *phy_data = pdata->phy_data;
+@@ -1031,6 +1079,10 @@ static void xgbe_phy_sfp_parse_eeprom(st
+       if (sfp_base[XGBE_SFP_BASE_EXT_ID] != XGBE_SFP_EXT_ID_SFP)
+               return;
+ 
++      /* Update transceiver signals (eeprom extd/options) */
++      phy_data->sfp_tx_fault = xgbe_phy_check_sfp_tx_fault(phy_data);
++      phy_data->sfp_rx_los = xgbe_phy_check_sfp_rx_los(phy_data);
++
+       if (xgbe_phy_sfp_parse_quirks(pdata))
+               return;
+ 
+@@ -1196,7 +1248,6 @@ put:
+ static void xgbe_phy_sfp_signals(struct xgbe_prv_data *pdata)
+ {
+       struct xgbe_phy_data *phy_data = pdata->phy_data;
+-      unsigned int gpio_input;
+       u8 gpio_reg, gpio_ports[2];
+       int ret;
+ 
+@@ -1211,23 +1262,9 @@ static void xgbe_phy_sfp_signals(struct
+               return;
+       }
+ 
+-      gpio_input = (gpio_ports[1] << 8) | gpio_ports[0];
+-
+-      if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_MOD_ABSENT) {
+-              /* No GPIO, just assume the module is present for now */
+-              phy_data->sfp_mod_absent = 0;
+-      } else {
+-              if (!(gpio_input & (1 << phy_data->sfp_gpio_mod_absent)))
+-                      phy_data->sfp_mod_absent = 0;
+-      }
+-
+-      if (!(phy_data->sfp_gpio_mask & XGBE_GPIO_NO_RX_LOS) &&
+-          (gpio_input & (1 << phy_data->sfp_gpio_rx_los)))
+-              phy_data->sfp_rx_los = 1;
++      phy_data->sfp_gpio_inputs = (gpio_ports[1] << 8) | gpio_ports[0];
+ 
+-      if (!(phy_data->sfp_gpio_mask & XGBE_GPIO_NO_TX_FAULT) &&
+-          (gpio_input & (1 << phy_data->sfp_gpio_tx_fault)))
+-              phy_data->sfp_tx_fault = 1;
++      phy_data->sfp_mod_absent = xgbe_phy_check_sfp_mod_absent(phy_data);
+ }
+ 
+ static void xgbe_phy_sfp_mod_absent(struct xgbe_prv_data *pdata)

diff --git a/queue-4.14/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch b/queue-4.14/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch
new file mode 100644 (file)
index 0000000..190de58
--- /dev/null
+++ b/queue-4.14/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch
@@ -0,0 +1,55 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 22 Apr 2018 19:11:50 +0800
+Subject: bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ddea788c63094f7c483783265563dd5b50052e28 ]
+
+After Commit 8a8efa22f51b ("bonding: sync netpoll code with bridge"), it
+would set slave_dev npinfo in slave_enable_netpoll when enslaving a dev
+if bond->dev->npinfo was set.
+
+However now slave_dev npinfo is set with bond->dev->npinfo before calling
+slave_enable_netpoll. With slave_dev npinfo set, __netpoll_setup called
+in slave_enable_netpoll will not call slave dev's .ndo_netpoll_setup().
+It causes that the lower dev of this slave dev can't set its npinfo.
+
+One way to reproduce it:
+
+  # modprobe bonding
+  # brctl addbr br0
+  # brctl addif br0 eth1
+  # ifconfig bond0 192.168.122.1/24 up
+  # ifenslave bond0 eth2
+  # systemctl restart netconsole
+  # ifenslave bond0 br0
+  # ifconfig eth2 down
+  # systemctl restart netconsole
+
+The netpoll won't really work.
+
+This patch is to remove that slave_dev npinfo setting in bond_enslave().
+
+Fixes: 8a8efa22f51b ("bonding: sync netpoll code with bridge")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1656,8 +1656,7 @@ int bond_enslave(struct net_device *bond
+       } /* switch(bond_mode) */
+ 
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+-      slave_dev->npinfo = bond->dev->npinfo;
+-      if (slave_dev->npinfo) {
++      if (bond->dev->npinfo) {
+               if (slave_enable_netpoll(new_slave)) {
+                       netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n");
+                       res = -EBUSY;

diff --git a/queue-4.14/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch b/queue-4.14/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch
new file mode 100644 (file)
index 0000000..7820d45
--- /dev/null
+++ b/queue-4.14/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch
@@ -0,0 +1,44 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 22 Apr 2018 18:29:23 -0700
+Subject: ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 ]
+
+KMSAN reported use of uninit-value that I tracked to lack
+of proper size check on RTA_TABLE attribute.
+
+I also believe RTA_PREFSRC lacks a similar check.
+
+Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config")
+Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2959,6 +2959,7 @@ void rt6_mtu_change(struct net_device *d
+ 
+ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
+       [RTA_GATEWAY]           = { .len = sizeof(struct in6_addr) },
++      [RTA_PREFSRC]           = { .len = sizeof(struct in6_addr) },
+       [RTA_OIF]               = { .type = NLA_U32 },
+       [RTA_IIF]               = { .type = NLA_U32 },
+       [RTA_PRIORITY]          = { .type = NLA_U32 },
+@@ -2970,6 +2971,7 @@ static const struct nla_policy rtm_ipv6_
+       [RTA_EXPIRES]           = { .type = NLA_U32 },
+       [RTA_UID]               = { .type = NLA_U32 },
+       [RTA_MARK]              = { .type = NLA_U32 },
++      [RTA_TABLE]             = { .type = NLA_U32 },
+ };
+ 
+ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,

diff --git a/queue-4.14/ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch b/queue-4.14/ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch
new file mode 100644 (file)
index 0000000..bcf1c76
--- /dev/null
+++ b/queue-4.14/ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch
@@ -0,0 +1,95 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Ahmed Abdelsalam <amsalam20@gmail.com>
+Date: Fri, 20 Apr 2018 15:58:05 +0200
+Subject: ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
+
+From: Ahmed Abdelsalam <amsalam20@gmail.com>
+
+
+[ Upstream commit a957fa190aa9d9168b33d460a5241a6d088c6265 ]
+
+In case of seg6 in encap mode, seg6_do_srh_encap() calls set_tun_src()
+in order to set the src addr of outer IPv6 header.
+
+The net_device is required for set_tun_src(). However calling ip6_dst_idev()
+on dst_entry in case of IPv4 traffic results on the following bug.
+
+Using just dst->dev should fix this BUG.
+
+[  196.242461] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+[  196.242975] PGD 800000010f076067 P4D 800000010f076067 PUD 10f060067 PMD 0
+[  196.243329] Oops: 0000 [#1] SMP PTI
+[  196.243468] Modules linked in: nfsd auth_rpcgss nfs_acl nfs lockd grace fscache sunrpc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd input_leds glue_helper led_class pcspkr serio_raw mac_hid video autofs4 hid_generic usbhid hid e1000 i2c_piix4 ahci pata_acpi libahci
+[  196.244362] CPU: 2 PID: 1089 Comm: ping Not tainted 4.16.0+ #1
+[  196.244606] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[  196.244968] RIP: 0010:seg6_do_srh_encap+0x1ac/0x300
+[  196.245236] RSP: 0018:ffffb2ce00b23a60 EFLAGS: 00010202
+[  196.245464] RAX: 0000000000000000 RBX: ffff8c7f53eea300 RCX: 0000000000000000
+[  196.245742] RDX: 0000f10000000000 RSI: ffff8c7f52085a6c RDI: ffff8c7f41166850
+[  196.246018] RBP: ffffb2ce00b23aa8 R08: 00000000000261e0 R09: ffff8c7f41166800
+[  196.246294] R10: ffffdce5040ac780 R11: ffff8c7f41166828 R12: ffff8c7f41166808
+[  196.246570] R13: ffff8c7f52085a44 R14: ffffffffb73211c0 R15: ffff8c7e69e44200
+[  196.246846] FS:  00007fc448789700(0000) GS:ffff8c7f59d00000(0000) knlGS:0000000000000000
+[  196.247286] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  196.247526] CR2: 0000000000000000 CR3: 000000010f05a000 CR4: 00000000000406e0
+[  196.247804] Call Trace:
+[  196.247972]  seg6_do_srh+0x15b/0x1c0
+[  196.248156]  seg6_output+0x3c/0x220
+[  196.248341]  ? prandom_u32+0x14/0x20
+[  196.248526]  ? ip_idents_reserve+0x6c/0x80
+[  196.248723]  ? __ip_select_ident+0x90/0x100
+[  196.248923]  ? ip_append_data.part.50+0x6c/0xd0
+[  196.249133]  lwtunnel_output+0x44/0x70
+[  196.249328]  ip_send_skb+0x15/0x40
+[  196.249515]  raw_sendmsg+0x8c3/0xac0
+[  196.249701]  ? _copy_from_user+0x2e/0x60
+[  196.249897]  ? rw_copy_check_uvector+0x53/0x110
+[  196.250106]  ? _copy_from_user+0x2e/0x60
+[  196.250299]  ? copy_msghdr_from_user+0xce/0x140
+[  196.250508]  sock_sendmsg+0x36/0x40
+[  196.250690]  ___sys_sendmsg+0x292/0x2a0
+[  196.250881]  ? _cond_resched+0x15/0x30
+[  196.251074]  ? copy_termios+0x1e/0x70
+[  196.251261]  ? _copy_to_user+0x22/0x30
+[  196.251575]  ? tty_mode_ioctl+0x1c3/0x4e0
+[  196.251782]  ? _cond_resched+0x15/0x30
+[  196.251972]  ? mutex_lock+0xe/0x30
+[  196.252152]  ? vvar_fault+0xd2/0x110
+[  196.252337]  ? __do_fault+0x1f/0xc0
+[  196.252521]  ? __handle_mm_fault+0xc1f/0x12d0
+[  196.252727]  ? __sys_sendmsg+0x63/0xa0
+[  196.252919]  __sys_sendmsg+0x63/0xa0
+[  196.253107]  do_syscall_64+0x72/0x200
+[  196.253305]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+[  196.253530] RIP: 0033:0x7fc4480b0690
+[  196.253715] RSP: 002b:00007ffde9f252f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[  196.254053] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007fc4480b0690
+[  196.254331] RDX: 0000000000000000 RSI: 000000000060a360 RDI: 0000000000000003
+[  196.254608] RBP: 00007ffde9f253f0 R08: 00000000002d1e81 R09: 0000000000000002
+[  196.254884] R10: 00007ffde9f250c0 R11: 0000000000000246 R12: 0000000000b22070
+[  196.255205] R13: 20c49ba5e353f7cf R14: 431bde82d7b634db R15: 00007ffde9f278fe
+[  196.255484] Code: a5 0f b6 45 c0 41 88 41 28 41 0f b6 41 2c 48 c1 e0 04 49 8b 54 01 38 49 8b 44 01 30 49 89 51 20 49 89 41 18 48 8b 83 b0 00 00 00 <48> 8b 30 49 8b 86 08 0b 00 00 48 8b 40 20 48 8b 50 08 48 0b 10
+[  196.256190] RIP: seg6_do_srh_encap+0x1ac/0x300 RSP: ffffb2ce00b23a60
+[  196.256445] CR2: 0000000000000000
+[  196.256676] ---[ end trace 71af7d093603885c ]---
+
+Fixes: 8936ef7604c11 ("ipv6: sr: fix NULL pointer dereference when setting encap source address")
+Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
+Acked-by: David Lebrun <dlebrun@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/seg6_iptunnel.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/seg6_iptunnel.c
++++ b/net/ipv6/seg6_iptunnel.c
+@@ -136,7 +136,7 @@ int seg6_do_srh_encap(struct sk_buff *sk
+       isrh->nexthdr = proto;
+ 
+       hdr->daddr = isrh->segments[isrh->first_segment];
+-      set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr);
++      set_tun_src(net, dst->dev, &hdr->daddr, &hdr->saddr);
+ 
+ #ifdef CONFIG_IPV6_SEG6_HMAC
+       if (sr_has_hmac(isrh)) {

diff --git a/queue-4.14/keys-dns-limit-the-length-of-option-strings.patch b/queue-4.14/keys-dns-limit-the-length-of-option-strings.patch
new file mode 100644 (file)
index 0000000..504ec16
--- /dev/null
+++ b/queue-4.14/keys-dns-limit-the-length-of-option-strings.patch
@@ -0,0 +1,76 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 17 Apr 2018 12:07:06 -0700
+Subject: KEYS: DNS: limit the length of option strings
+
+From: Eric Biggers <ebiggers@google.com>
+
+
+[ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ]
+
+Adding a dns_resolver key whose payload contains a very long option name
+resulted in that string being printed in full.  This hit the WARN_ONCE()
+in set_precision() during the printk(), because printk() only supports a
+precision of up to 32767 bytes:
+
+    precision 1000000 too large
+    WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0
+
+Fix it by limiting option strings (combined name + value) to a much more
+reasonable 128 bytes.  The exact limit is arbitrary, but currently the
+only recognized option is formatted as "dnserror=%lu" which fits well
+within this limit.
+
+Also ratelimit the printks.
+
+Reproducer:
+
+    perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s
+
+This bug was found using syzkaller.
+
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dns_resolver/dns_key.c |   13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -25,6 +25,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
++#include <linux/ratelimit.h>
+ #include <linux/kernel.h>
+ #include <linux/keyctl.h>
+ #include <linux/err.h>
+@@ -91,9 +92,9 @@ dns_resolver_preparse(struct key_prepars
+ 
+                       next_opt = memchr(opt, '#', end - opt) ?: end;
+                       opt_len = next_opt - opt;
+-                      if (!opt_len) {
+-                              printk(KERN_WARNING
+-                                     "Empty option to dns_resolver key\n");
++                      if (opt_len <= 0 || opt_len > 128) {
++                              pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
++                                                  opt_len);
+                               return -EINVAL;
+                       }
+ 
+@@ -127,10 +128,8 @@ dns_resolver_preparse(struct key_prepars
+                       }
+ 
+               bad_option_value:
+-                      printk(KERN_WARNING
+-                             "Option '%*.*s' to dns_resolver key:"
+-                             " bad/missing value\n",
+-                             opt_nlen, opt_nlen, opt);
++                      pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n",
++                                          opt_nlen, opt_nlen, opt);
+                       return -EINVAL;
+               } while (opt = next_opt + 1, opt < end);
+       }

diff --git a/queue-4.14/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch b/queue-4.14/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
new file mode 100644 (file)
index 0000000..27e23b5
--- /dev/null
+++ b/queue-4.14/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
@@ -0,0 +1,38 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 23 Apr 2018 16:15:14 +0200
+Subject: l2tp: check sockaddr length in pppol2tp_connect()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ]
+
+Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that
+it actually points to valid data.
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -591,6 +591,13 @@ static int pppol2tp_connect(struct socke
+       lock_sock(sk);
+ 
+       error = -EINVAL;
++
++      if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) &&
++          sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) &&
++          sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) &&
++          sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6))
++              goto end;
++
+       if (sp->sa_protocol != PX_PROTO_OL2TP)
+               goto end;
+ 

diff --git a/queue-4.14/llc-delete-timers-synchronously-in-llc_sk_free.patch b/queue-4.14/llc-delete-timers-synchronously-in-llc_sk_free.patch
new file mode 100644 (file)
index 0000000..1f6c05f
--- /dev/null
+++ b/queue-4.14/llc-delete-timers-synchronously-in-llc_sk_free.patch
@@ -0,0 +1,98 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 19 Apr 2018 12:25:38 -0700
+Subject: llc: delete timers synchronously in llc_sk_free()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit b905ef9ab90115d001c1658259af4b1c65088779 ]
+
+The connection timers of an llc sock could be still flying
+after we delete them in llc_sk_free(), and even possibly
+after we free the sock. We could just wait synchronously
+here in case of troubles.
+
+Note, I leave other call paths as they are, since they may
+not have to wait, at least we can change them to synchronously
+when needed.
+
+Also, move the code to net/llc/llc_conn.c, which is apparently
+a better place.
+
+Reported-by: <syzbot+f922284c18ea23a8e457@syzkaller.appspotmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/llc_conn.h |    1 +
+ net/llc/llc_c_ac.c     |    9 +--------
+ net/llc/llc_conn.c     |   22 +++++++++++++++++++++-
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+--- a/include/net/llc_conn.h
++++ b/include/net/llc_conn.h
+@@ -97,6 +97,7 @@ static __inline__ char llc_backlog_type(
+ 
+ struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority,
+                         struct proto *prot, int kern);
++void llc_sk_stop_all_timers(struct sock *sk, bool sync);
+ void llc_sk_free(struct sock *sk);
+ 
+ void llc_sk_reset(struct sock *sk);
+--- a/net/llc/llc_c_ac.c
++++ b/net/llc/llc_c_ac.c
+@@ -1096,14 +1096,7 @@ int llc_conn_ac_inc_tx_win_size(struct s
+ 
+ int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb)
+ {
+-      struct llc_sock *llc = llc_sk(sk);
+-
+-      del_timer(&llc->pf_cycle_timer.timer);
+-      del_timer(&llc->ack_timer.timer);
+-      del_timer(&llc->rej_sent_timer.timer);
+-      del_timer(&llc->busy_state_timer.timer);
+-      llc->ack_must_be_send = 0;
+-      llc->ack_pf = 0;
++      llc_sk_stop_all_timers(sk, false);
+       return 0;
+ }
+ 
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -951,6 +951,26 @@ out:
+       return sk;
+ }
+ 
++void llc_sk_stop_all_timers(struct sock *sk, bool sync)
++{
++      struct llc_sock *llc = llc_sk(sk);
++
++      if (sync) {
++              del_timer_sync(&llc->pf_cycle_timer.timer);
++              del_timer_sync(&llc->ack_timer.timer);
++              del_timer_sync(&llc->rej_sent_timer.timer);
++              del_timer_sync(&llc->busy_state_timer.timer);
++      } else {
++              del_timer(&llc->pf_cycle_timer.timer);
++              del_timer(&llc->ack_timer.timer);
++              del_timer(&llc->rej_sent_timer.timer);
++              del_timer(&llc->busy_state_timer.timer);
++      }
++
++      llc->ack_must_be_send = 0;
++      llc->ack_pf = 0;
++}
++
+ /**
+  *    llc_sk_free - Frees a LLC socket
+  *    @sk - socket to free
+@@ -963,7 +983,7 @@ void llc_sk_free(struct sock *sk)
+ 
+       llc->state = LLC_CONN_OUT_OF_SVC;
+       /* Stop all (possibly) running timers */
+-      llc_conn_ac_stop_all_timers(sk, NULL);
++      llc_sk_stop_all_timers(sk, true);
+ #ifdef DEBUG_LLC_CONN_ALLOC
+       printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__,
+               skb_queue_len(&llc->pdu_unack_q),

diff --git a/queue-4.14/llc-fix-null-pointer-deref-for-sock_zapped.patch b/queue-4.14/llc-fix-null-pointer-deref-for-sock_zapped.patch
new file mode 100644 (file)
index 0000000..ac062fa
--- /dev/null
+++ b/queue-4.14/llc-fix-null-pointer-deref-for-sock_zapped.patch
@@ -0,0 +1,60 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 19 Apr 2018 21:54:34 -0700
+Subject: llc: fix NULL pointer deref for SOCK_ZAPPED
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ]
+
+For SOCK_ZAPPED socket, we don't need to care about llc->sap,
+so we should just skip these refcount functions in this case.
+
+Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c |   21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -189,7 +189,6 @@ static int llc_ui_release(struct socket
+ {
+       struct sock *sk = sock->sk;
+       struct llc_sock *llc;
+-      struct llc_sap *sap;
+ 
+       if (unlikely(sk == NULL))
+               goto out;
+@@ -200,15 +199,19 @@ static int llc_ui_release(struct socket
+               llc->laddr.lsap, llc->daddr.lsap);
+       if (!llc_send_disc(sk))
+               llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
+-      sap = llc->sap;
+-      /* Hold this for release_sock(), so that llc_backlog_rcv() could still
+-       * use it.
+-       */
+-      llc_sap_hold(sap);
+-      if (!sock_flag(sk, SOCK_ZAPPED))
++      if (!sock_flag(sk, SOCK_ZAPPED)) {
++              struct llc_sap *sap = llc->sap;
++
++              /* Hold this for release_sock(), so that llc_backlog_rcv()
++               * could still use it.
++               */
++              llc_sap_hold(sap);
+               llc_sap_remove_socket(llc->sap, sk);
+-      release_sock(sk);
+-      llc_sap_put(sap);
++              release_sock(sk);
++              llc_sap_put(sap);
++      } else {
++              release_sock(sk);
++      }
+       if (llc->dev)
+               dev_put(llc->dev);
+       sock_put(sk);

diff --git a/queue-4.14/llc-hold-llc_sap-before-release_sock.patch b/queue-4.14/llc-hold-llc_sap-before-release_sock.patch
new file mode 100644 (file)
index 0000000..9575241
--- /dev/null
+++ b/queue-4.14/llc-hold-llc_sap-before-release_sock.patch
@@ -0,0 +1,68 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 18 Apr 2018 11:51:56 -0700
+Subject: llc: hold llc_sap before release_sock()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ]
+
+syzbot reported we still access llc->sap in llc_backlog_rcv()
+after it is freed in llc_sap_remove_socket():
+
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
+ llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
+ llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
+ llc_conn_service net/llc/llc_conn.c:400 [inline]
+ llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
+ llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
+ sk_backlog_rcv include/net/sock.h:909 [inline]
+ __release_sock+0x12f/0x3a0 net/core/sock.c:2335
+ release_sock+0xa4/0x2b0 net/core/sock.c:2850
+ llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
+
+llc->sap is refcount'ed and llc_sap_remove_socket() is paired
+with llc_sap_add_socket(). This can be amended by holding its refcount
+before llc_sap_remove_socket() and releasing it after release_sock().
+
+Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -189,6 +189,7 @@ static int llc_ui_release(struct socket
+ {
+       struct sock *sk = sock->sk;
+       struct llc_sock *llc;
++      struct llc_sap *sap;
+ 
+       if (unlikely(sk == NULL))
+               goto out;
+@@ -199,9 +200,15 @@ static int llc_ui_release(struct socket
+               llc->laddr.lsap, llc->daddr.lsap);
+       if (!llc_send_disc(sk))
+               llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
++      sap = llc->sap;
++      /* Hold this for release_sock(), so that llc_backlog_rcv() could still
++       * use it.
++       */
++      llc_sap_hold(sap);
+       if (!sock_flag(sk, SOCK_ZAPPED))
+               llc_sap_remove_socket(llc->sap, sk);
+       release_sock(sk);
++      llc_sap_put(sap);
+       if (llc->dev)
+               dev_put(llc->dev);
+       sock_put(sk);

diff --git a/queue-4.14/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch b/queue-4.14/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch
new file mode 100644 (file)
index 0000000..36bc100
--- /dev/null
+++ b/queue-4.14/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch
@@ -0,0 +1,121 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 15 Apr 2018 17:52:04 -0700
+Subject: net: af_packet: fix race in PACKET_{R|T}X_RING
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ]
+
+In order to remove the race caught by syzbot [1], we need
+to lock the socket before using po->tp_version as this could
+change under us otherwise.
+
+This means lock_sock() and release_sock() must be done by
+packet_set_ring() callers.
+
+[1] :
+BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
+CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
+ packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662
+ SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
+ SyS_setsockopt+0x76/0xa0 net/socket.c:1828
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x449099
+RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099
+RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003
+RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000
+R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001
+
+Local variable description: ----req_u@packet_setsockopt
+Variable was created at:
+ packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612
+ SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c |   23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3017,6 +3017,7 @@ static int packet_release(struct socket
+ 
+       packet_flush_mclist(sk);
+ 
++      lock_sock(sk);
+       if (po->rx_ring.pg_vec) {
+               memset(&req_u, 0, sizeof(req_u));
+               packet_set_ring(sk, &req_u, 1, 0);
+@@ -3026,6 +3027,7 @@ static int packet_release(struct socket
+               memset(&req_u, 0, sizeof(req_u));
+               packet_set_ring(sk, &req_u, 1, 1);
+       }
++      release_sock(sk);
+ 
+       f = fanout_release(sk);
+ 
+@@ -3654,6 +3656,7 @@ packet_setsockopt(struct socket *sock, i
+               union tpacket_req_u req_u;
+               int len;
+ 
++              lock_sock(sk);
+               switch (po->tp_version) {
+               case TPACKET_V1:
+               case TPACKET_V2:
+@@ -3664,12 +3667,17 @@ packet_setsockopt(struct socket *sock, i
+                       len = sizeof(req_u.req3);
+                       break;
+               }
+-              if (optlen < len)
+-                      return -EINVAL;
+-              if (copy_from_user(&req_u.req, optval, len))
+-                      return -EFAULT;
+-              return packet_set_ring(sk, &req_u, 0,
+-                      optname == PACKET_TX_RING);
++              if (optlen < len) {
++                      ret = -EINVAL;
++              } else {
++                      if (copy_from_user(&req_u.req, optval, len))
++                              ret = -EFAULT;
++                      else
++                              ret = packet_set_ring(sk, &req_u, 0,
++                                                  optname == PACKET_TX_RING);
++              }
++              release_sock(sk);
++              return ret;
+       }
+       case PACKET_COPY_THRESH:
+       {
+@@ -4219,8 +4227,6 @@ static int packet_set_ring(struct sock *
+       /* Added to avoid minimal code churn */
+       struct tpacket_req *req = &req_u->req;
+ 
+-      lock_sock(sk);
+-
+       rb = tx_ring ? &po->tx_ring : &po->rx_ring;
+       rb_queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
+ 
+@@ -4358,7 +4364,6 @@ static int packet_set_ring(struct sock *
+       if (pg_vec)
+               free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
+-      release_sock(sk);
+       return err;
+ }
+ 

diff --git a/queue-4.14/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch b/queue-4.14/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch
new file mode 100644 (file)
index 0000000..2123418
--- /dev/null
+++ b/queue-4.14/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch
@@ -0,0 +1,35 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Date: Thu, 19 Apr 2018 22:49:09 +0300
+Subject: net: ethernet: ti: cpsw: fix tx vlan priority mapping
+
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+
+
+[ Upstream commit 5e391dc5a8d801a2410d0032ad4a428d1d61800c ]
+
+The CPDMA_TX_PRIORITY_MAP in real is vlan pcp field priority mapping
+register and basically replaces vlan pcp field for tagged packets.
+So, set it to be 1:1 mapping. Otherwise, it will cause unexpected
+change of egress vlan tagged packets, like prio 2 -> prio 5.
+
+Fixes: e05107e6b747 ("net: ethernet: ti: cpsw: add multi queue support")
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -124,7 +124,7 @@ do {                                                               \
+ 
+ #define RX_PRIORITY_MAPPING   0x76543210
+ #define TX_PRIORITY_MAPPING   0x33221100
+-#define CPDMA_TX_PRIORITY_MAP 0x01234567
++#define CPDMA_TX_PRIORITY_MAP 0x76543210
+ 
+ #define CPSW_VLAN_AWARE               BIT(1)
+ #define CPSW_ALE_VLAN_AWARE   1

diff --git a/queue-4.14/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch b/queue-4.14/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch
new file mode 100644 (file)
index 0000000..22cb29f
--- /dev/null
+++ b/queue-4.14/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch
@@ -0,0 +1,97 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 12 Apr 2018 10:46:55 +0200
+Subject: net: fix deadlock while clearing neighbor proxy table
+
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+
+
+[ Upstream commit 53b76cdf7e8fecec1d09e38aad2f8579882591a8 ]
+
+When coming from ndisc_netdev_event() in net/ipv6/ndisc.c,
+neigh_ifdown() is called with &nd_tbl, locking this while
+clearing the proxy neighbor entries when eg. deleting an
+interface. Calling the table's pndisc_destructor() with the
+lock still held, however, can cause a deadlock: When a
+multicast listener is available an IGMP packet of type
+ICMPV6_MGM_REDUCTION may be sent out. When reaching
+ip6_finish_output2(), if no neighbor entry for the target
+address is found, __neigh_create() is called with &nd_tbl,
+which it'll want to lock.
+
+Move the elements into their own list, then unlock the table
+and perform the destruction.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289
+Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c |   28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -55,7 +55,8 @@ static void neigh_timer_handler(unsigned
+ static void __neigh_notify(struct neighbour *n, int type, int flags,
+                          u32 pid);
+ static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid);
+-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev);
++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
++                                  struct net_device *dev);
+ 
+ #ifdef CONFIG_PROC_FS
+ static const struct file_operations neigh_stat_seq_fops;
+@@ -291,8 +292,7 @@ int neigh_ifdown(struct neigh_table *tbl
+ {
+       write_lock_bh(&tbl->lock);
+       neigh_flush_dev(tbl, dev);
+-      pneigh_ifdown(tbl, dev);
+-      write_unlock_bh(&tbl->lock);
++      pneigh_ifdown_and_unlock(tbl, dev);
+ 
+       del_timer_sync(&tbl->proxy_timer);
+       pneigh_queue_purge(&tbl->proxy_queue);
+@@ -681,9 +681,10 @@ int pneigh_delete(struct neigh_table *tb
+       return -ENOENT;
+ }
+ 
+-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
++                                  struct net_device *dev)
+ {
+-      struct pneigh_entry *n, **np;
++      struct pneigh_entry *n, **np, *freelist = NULL;
+       u32 h;
+ 
+       for (h = 0; h <= PNEIGH_HASHMASK; h++) {
+@@ -691,16 +692,23 @@ static int pneigh_ifdown(struct neigh_ta
+               while ((n = *np) != NULL) {
+                       if (!dev || n->dev == dev) {
+                               *np = n->next;
+-                              if (tbl->pdestructor)
+-                                      tbl->pdestructor(n);
+-                              if (n->dev)
+-                                      dev_put(n->dev);
+-                              kfree(n);
++                              n->next = freelist;
++                              freelist = n;
+                               continue;
+                       }
+                       np = &n->next;
+               }
+       }
++      write_unlock_bh(&tbl->lock);
++      while ((n = freelist)) {
++              freelist = n->next;
++              n->next = NULL;
++              if (tbl->pdestructor)
++                      tbl->pdestructor(n);
++              if (n->dev)
++                      dev_put(n->dev);
++              kfree(n);
++      }
+       return -ENOENT;
+ }
+ 

diff --git a/queue-4.14/net-sched-ife-check-on-metadata-length.patch b/queue-4.14/net-sched-ife-check-on-metadata-length.patch
new file mode 100644 (file)
index 0000000..52cdd73
--- /dev/null
+++ b/queue-4.14/net-sched-ife-check-on-metadata-length.patch
@@ -0,0 +1,35 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Alexander Aring <aring@mojatatu.com>
+Date: Fri, 20 Apr 2018 15:15:05 -0400
+Subject: net: sched: ife: check on metadata length
+
+From: Alexander Aring <aring@mojatatu.com>
+
+
+[ Upstream commit d57493d6d1be26c8ac8516a4463bfe24956978eb ]
+
+This patch checks if sk buffer is available to dererence ife header. If
+not then NULL will returned to signal an malformed ife packet. This
+avoids to crashing the kernel from outside.
+
+Signed-off-by: Alexander Aring <aring@mojatatu.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ife/ife.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ife/ife.c
++++ b/net/ife/ife.c
+@@ -69,6 +69,9 @@ void *ife_decode(struct sk_buff *skb, u1
+       int total_pull;
+       u16 ifehdrln;
+ 
++      if (!pskb_may_pull(skb, skb->dev->hard_header_len + IFE_METAHDRLEN))
++              return NULL;
++
+       ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len);
+       ifehdrln = ntohs(ifehdr->metalen);
+       total_pull = skb->dev->hard_header_len + ifehdrln;

diff --git a/queue-4.14/net-sched-ife-handle-malformed-tlv-length.patch b/queue-4.14/net-sched-ife-handle-malformed-tlv-length.patch
new file mode 100644 (file)
index 0000000..f790e04
--- /dev/null
+++ b/queue-4.14/net-sched-ife-handle-malformed-tlv-length.patch
@@ -0,0 +1,101 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Alexander Aring <aring@mojatatu.com>
+Date: Fri, 20 Apr 2018 15:15:04 -0400
+Subject: net: sched: ife: handle malformed tlv length
+
+From: Alexander Aring <aring@mojatatu.com>
+
+
+[ Upstream commit cc74eddd0ff325d57373cea99f642b787d7f76f5 ]
+
+There is currently no handling to check on a invalid tlv length. This
+patch adds such handling to avoid killing the kernel with a malformed
+ife packet.
+
+Signed-off-by: Alexander Aring <aring@mojatatu.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ife.h   |    3 ++-
+ net/ife/ife.c       |   35 +++++++++++++++++++++++++++++++++--
+ net/sched/act_ife.c |    7 ++++++-
+ 3 files changed, 41 insertions(+), 4 deletions(-)
+
+--- a/include/net/ife.h
++++ b/include/net/ife.h
+@@ -12,7 +12,8 @@
+ void *ife_encode(struct sk_buff *skb, u16 metalen);
+ void *ife_decode(struct sk_buff *skb, u16 *metalen);
+ 
+-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen);
++void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
++                        u16 *dlen, u16 *totlen);
+ int ife_tlv_meta_encode(void *skbdata, u16 attrtype, u16 dlen,
+                       const void *dval);
+ 
+--- a/net/ife/ife.c
++++ b/net/ife/ife.c
+@@ -92,12 +92,43 @@ struct meta_tlvhdr {
+       __be16 len;
+ };
+ 
++static bool __ife_tlv_meta_valid(const unsigned char *skbdata,
++                               const unsigned char *ifehdr_end)
++{
++      const struct meta_tlvhdr *tlv;
++      u16 tlvlen;
++
++      if (unlikely(skbdata + sizeof(*tlv) > ifehdr_end))
++              return false;
++
++      tlv = (const struct meta_tlvhdr *)skbdata;
++      tlvlen = ntohs(tlv->len);
++
++      /* tlv length field is inc header, check on minimum */
++      if (tlvlen < NLA_HDRLEN)
++              return false;
++
++      /* overflow by NLA_ALIGN check */
++      if (NLA_ALIGN(tlvlen) < tlvlen)
++              return false;
++
++      if (unlikely(skbdata + NLA_ALIGN(tlvlen) > ifehdr_end))
++              return false;
++
++      return true;
++}
++
+ /* Caller takes care of presenting data in network order
+  */
+-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen)
++void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
++                        u16 *dlen, u16 *totlen)
+ {
+-      struct meta_tlvhdr *tlv = (struct meta_tlvhdr *) skbdata;
++      struct meta_tlvhdr *tlv;
++
++      if (!__ife_tlv_meta_valid(skbdata, ifehdr_end))
++              return NULL;
+ 
++      tlv = (struct meta_tlvhdr *)skbdata;
+       *dlen = ntohs(tlv->len) - NLA_HDRLEN;
+       *attrtype = ntohs(tlv->type);
+ 
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -639,7 +639,12 @@ static int tcf_ife_decode(struct sk_buff
+               u16 mtype;
+               u16 dlen;
+ 
+-              curr_data = ife_tlv_meta_decode(tlv_data, &mtype, &dlen, NULL);
++              curr_data = ife_tlv_meta_decode(tlv_data, ifehdr_end, &mtype,
++                                              &dlen, NULL);
++              if (!curr_data) {
++                      qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats));
++                      return TC_ACT_SHOT;
++              }
+ 
+               if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) {
+                       /* abuse overlimits to count when we receive metadata

diff --git a/queue-4.14/net-sched-ife-signal-not-finding-metaid.patch b/queue-4.14/net-sched-ife-signal-not-finding-metaid.patch
new file mode 100644 (file)
index 0000000..7bd027e
--- /dev/null
+++ b/queue-4.14/net-sched-ife-signal-not-finding-metaid.patch
@@ -0,0 +1,33 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Alexander Aring <aring@mojatatu.com>
+Date: Fri, 20 Apr 2018 15:15:03 -0400
+Subject: net: sched: ife: signal not finding metaid
+
+From: Alexander Aring <aring@mojatatu.com>
+
+
+[ Upstream commit f6cd14537ff9919081be19b9c53b9b19c0d3ea97 ]
+
+We need to record stats for received metadata that we dont know how
+to process. Have find_decode_metaid() return -ENOENT to capture this.
+
+Signed-off-by: Alexander Aring <aring@mojatatu.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -605,7 +605,7 @@ static int find_decode_metaid(struct sk_
+               }
+       }
+ 
+-      return 0;
++      return -ENOENT;
+ }
+ 
+ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,

diff --git a/queue-4.14/net-smc-fix-shutdown-in-state-smc_listen.patch b/queue-4.14/net-smc-fix-shutdown-in-state-smc_listen.patch
new file mode 100644 (file)
index 0000000..ba07854
--- /dev/null
+++ b/queue-4.14/net-smc-fix-shutdown-in-state-smc_listen.patch
@@ -0,0 +1,49 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Date: Thu, 19 Apr 2018 15:56:40 +0200
+Subject: net/smc: fix shutdown in state SMC_LISTEN
+
+From: Ursula Braun <ubraun@linux.vnet.ibm.com>
+
+
+[ Upstream commit 1255fcb2a655f05e02f3a74675a6d6525f187afd ]
+
+Calling shutdown with SHUT_RD and SHUT_RDWR for a listening SMC socket
+crashes, because
+   commit 127f49705823 ("net/smc: release clcsock from tcp_listen_worker")
+releases the internal clcsock in smc_close_active() and sets smc->clcsock
+to NULL.
+For SHUT_RD the smc_close_active() call is removed.
+For SHUT_RDWR the kernel_sock_shutdown() call is omitted, since the
+clcsock is already released.
+
+Fixes: 127f49705823 ("net/smc: release clcsock from tcp_listen_worker")
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Reported-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1203,14 +1203,12 @@ static int smc_shutdown(struct socket *s
+               rc = smc_close_shutdown_write(smc);
+               break;
+       case SHUT_RD:
+-              if (sk->sk_state == SMC_LISTEN)
+-                      rc = smc_close_active(smc);
+-              else
+-                      rc = 0;
+-                      /* nothing more to do because peer is not involved */
++              rc = 0;
++              /* nothing more to do because peer is not involved */
+               break;
+       }
+-      rc1 = kernel_sock_shutdown(smc->clcsock, how);
++      if (smc->clcsock)
++              rc1 = kernel_sock_shutdown(smc->clcsock, how);
+       /* map sock_shutdown_cmd constants to sk_shutdown value range */
+       sk->sk_shutdown |= how + 1;
+ 

diff --git a/queue-4.14/net-validate-attribute-sizes-in-neigh_dump_table.patch b/queue-4.14/net-validate-attribute-sizes-in-neigh_dump_table.patch
new file mode 100644 (file)
index 0000000..f4da790
--- /dev/null
+++ b/queue-4.14/net-validate-attribute-sizes-in-neigh_dump_table.patch
@@ -0,0 +1,109 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Apr 2018 14:46:00 -0700
+Subject: net: validate attribute sizes in neigh_dump_table()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7dd07c143a4b54d050e748bee4b4b9e94a7b1744 ]
+
+Since neigh_dump_table() calls nlmsg_parse() without giving policy
+constraints, attributes can have arbirary size that we must validate
+
+Reported by syzbot/KMSAN :
+
+BUG: KMSAN: uninit-value in neigh_master_filtered net/core/neighbour.c:2292 [inline]
+BUG: KMSAN: uninit-value in neigh_dump_table net/core/neighbour.c:2348 [inline]
+BUG: KMSAN: uninit-value in neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438
+CPU: 1 PID: 3575 Comm: syzkaller268891 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ neigh_master_filtered net/core/neighbour.c:2292 [inline]
+ neigh_dump_table net/core/neighbour.c:2348 [inline]
+ neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438
+ netlink_dump+0x9ad/0x1540 net/netlink/af_netlink.c:2225
+ __netlink_dump_start+0x1167/0x12a0 net/netlink/af_netlink.c:2322
+ netlink_dump_start include/linux/netlink.h:214 [inline]
+ rtnetlink_rcv_msg+0x1435/0x1560 net/core/rtnetlink.c:4598
+ netlink_rcv_skb+0x355/0x5f0 net/netlink/af_netlink.c:2447
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4653
+ netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
+ netlink_unicast+0x1672/0x1750 net/netlink/af_netlink.c:1337
+ netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43fed9
+RSP: 002b:00007ffddbee2798 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fed9
+RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401800
+R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
+ netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 21fdd092acc7 ("net: Add support for filtering neigh dump by master device")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -2323,12 +2323,16 @@ static int neigh_dump_table(struct neigh
+ 
+       err = nlmsg_parse(nlh, sizeof(struct ndmsg), tb, NDA_MAX, NULL, NULL);
+       if (!err) {
+-              if (tb[NDA_IFINDEX])
++              if (tb[NDA_IFINDEX]) {
++                      if (nla_len(tb[NDA_IFINDEX]) != sizeof(u32))
++                              return -EINVAL;
+                       filter_idx = nla_get_u32(tb[NDA_IFINDEX]);
+-
+-              if (tb[NDA_MASTER])
++              }
++              if (tb[NDA_MASTER]) {
++                      if (nla_len(tb[NDA_MASTER]) != sizeof(u32))
++                              return -EINVAL;
+                       filter_master_idx = nla_get_u32(tb[NDA_MASTER]);
+-
++              }
+               if (filter_idx || filter_master_idx)
+                       flags |= NLM_F_DUMP_FILTERED;
+       }

diff --git a/queue-4.14/packet-fix-bitfield-update-race.patch b/queue-4.14/packet-fix-bitfield-update-race.patch
new file mode 100644 (file)
index 0000000..3016ccb
--- /dev/null
+++ b/queue-4.14/packet-fix-bitfield-update-race.patch
@@ -0,0 +1,198 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 23 Apr 2018 17:37:03 -0400
+Subject: packet: fix bitfield update race
+
+From: Willem de Bruijn <willemb@google.com>
+
+
+[ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ]
+
+Updates to the bitfields in struct packet_sock are not atomic.
+Serialize these read-modify-write cycles.
+
+Move po->running into a separate variable. Its writes are protected by
+po->bind_lock (except for one startup case at packet_create). Also
+replace a textual precondition warning with lockdep annotation.
+
+All others are set only in packet_setsockopt. Serialize these
+updates by holding the socket lock. Analogous to other field updates,
+also hold the lock when testing whether a ring is active (pg_vec).
+
+Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg")
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Reported-by: Byoungyoung Lee <byoungyoung@purdue.edu>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c |   60 +++++++++++++++++++++++++++++++++++--------------
+ net/packet/internal.h  |   10 ++++----
+ 2 files changed, 49 insertions(+), 21 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -331,11 +331,11 @@ static void packet_pick_tx_queue(struct
+       skb_set_queue_mapping(skb, queue_index);
+ }
+ 
+-/* register_prot_hook must be invoked with the po->bind_lock held,
++/* __register_prot_hook must be invoked through register_prot_hook
+  * or from a context in which asynchronous accesses to the packet
+  * socket is not possible (packet_create()).
+  */
+-static void register_prot_hook(struct sock *sk)
++static void __register_prot_hook(struct sock *sk)
+ {
+       struct packet_sock *po = pkt_sk(sk);
+ 
+@@ -350,8 +350,13 @@ static void register_prot_hook(struct so
+       }
+ }
+ 
+-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock
+- * held.   If the sync parameter is true, we will temporarily drop
++static void register_prot_hook(struct sock *sk)
++{
++      lockdep_assert_held_once(&pkt_sk(sk)->bind_lock);
++      __register_prot_hook(sk);
++}
++
++/* If the sync parameter is true, we will temporarily drop
+  * the po->bind_lock and do a synchronize_net to make sure no
+  * asynchronous packet processing paths still refer to the elements
+  * of po->prot_hook.  If the sync parameter is false, it is the
+@@ -361,6 +366,8 @@ static void __unregister_prot_hook(struc
+ {
+       struct packet_sock *po = pkt_sk(sk);
+ 
++      lockdep_assert_held_once(&po->bind_lock);
++
+       po->running = 0;
+ 
+       if (po->fanout)
+@@ -3261,7 +3268,7 @@ static int packet_create(struct net *net
+ 
+       if (proto) {
+               po->prot_hook.type = proto;
+-              register_prot_hook(sk);
++              __register_prot_hook(sk);
+       }
+ 
+       mutex_lock(&net->packet.sklist_lock);
+@@ -3743,12 +3750,18 @@ packet_setsockopt(struct socket *sock, i
+ 
+               if (optlen != sizeof(val))
+                       return -EINVAL;
+-              if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-                      return -EBUSY;
+               if (copy_from_user(&val, optval, sizeof(val)))
+                       return -EFAULT;
+-              po->tp_loss = !!val;
+-              return 0;
++
++              lock_sock(sk);
++              if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++                      ret = -EBUSY;
++              } else {
++                      po->tp_loss = !!val;
++                      ret = 0;
++              }
++              release_sock(sk);
++              return ret;
+       }
+       case PACKET_AUXDATA:
+       {
+@@ -3759,7 +3772,9 @@ packet_setsockopt(struct socket *sock, i
+               if (copy_from_user(&val, optval, sizeof(val)))
+                       return -EFAULT;
+ 
++              lock_sock(sk);
+               po->auxdata = !!val;
++              release_sock(sk);
+               return 0;
+       }
+       case PACKET_ORIGDEV:
+@@ -3771,7 +3786,9 @@ packet_setsockopt(struct socket *sock, i
+               if (copy_from_user(&val, optval, sizeof(val)))
+                       return -EFAULT;
+ 
++              lock_sock(sk);
+               po->origdev = !!val;
++              release_sock(sk);
+               return 0;
+       }
+       case PACKET_VNET_HDR:
+@@ -3780,15 +3797,20 @@ packet_setsockopt(struct socket *sock, i
+ 
+               if (sock->type != SOCK_RAW)
+                       return -EINVAL;
+-              if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-                      return -EBUSY;
+               if (optlen < sizeof(val))
+                       return -EINVAL;
+               if (copy_from_user(&val, optval, sizeof(val)))
+                       return -EFAULT;
+ 
+-              po->has_vnet_hdr = !!val;
+-              return 0;
++              lock_sock(sk);
++              if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++                      ret = -EBUSY;
++              } else {
++                      po->has_vnet_hdr = !!val;
++                      ret = 0;
++              }
++              release_sock(sk);
++              return ret;
+       }
+       case PACKET_TIMESTAMP:
+       {
+@@ -3826,11 +3848,17 @@ packet_setsockopt(struct socket *sock, i
+ 
+               if (optlen != sizeof(val))
+                       return -EINVAL;
+-              if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-                      return -EBUSY;
+               if (copy_from_user(&val, optval, sizeof(val)))
+                       return -EFAULT;
+-              po->tp_tx_has_off = !!val;
++
++              lock_sock(sk);
++              if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++                      ret = -EBUSY;
++              } else {
++                      po->tp_tx_has_off = !!val;
++                      ret = 0;
++              }
++              release_sock(sk);
+               return 0;
+       }
+       case PACKET_QDISC_BYPASS:
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -112,10 +112,12 @@ struct packet_sock {
+       int                     copy_thresh;
+       spinlock_t              bind_lock;
+       struct mutex            pg_vec_lock;
+-      unsigned int            running:1,      /* prot_hook is attached*/
+-                              auxdata:1,
++      unsigned int            running;        /* bind_lock must be held */
++      unsigned int            auxdata:1,      /* writer must hold sock lock */
+                               origdev:1,
+-                              has_vnet_hdr:1;
++                              has_vnet_hdr:1,
++                              tp_loss:1,
++                              tp_tx_has_off:1;
+       int                     pressure;
+       int                     ifindex;        /* bound device         */
+       __be16                  num;
+@@ -125,8 +127,6 @@ struct packet_sock {
+       enum tpacket_versions   tp_version;
+       unsigned int            tp_hdrlen;
+       unsigned int            tp_reserve;
+-      unsigned int            tp_loss:1;
+-      unsigned int            tp_tx_has_off:1;
+       unsigned int            tp_tstamp;
+       struct net_device __rcu *cached_dev;
+       int                     (*xmit)(struct sk_buff *skb);

diff --git a/queue-4.14/pppoe-check-sockaddr-length-in-pppoe_connect.patch b/queue-4.14/pppoe-check-sockaddr-length-in-pppoe_connect.patch
new file mode 100644 (file)
index 0000000..badced6
--- /dev/null
+++ b/queue-4.14/pppoe-check-sockaddr-length-in-pppoe_connect.patch
@@ -0,0 +1,35 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 23 Apr 2018 16:38:27 +0200
+Subject: pppoe: check sockaddr length in pppoe_connect()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit a49e2f5d5fb141884452ddb428f551b123d436b5 ]
+
+We must validate sockaddr_len, otherwise userspace can pass fewer data
+than we expect and we end up accessing invalid data.
+
+Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers")
+Reported-by: syzbot+4f03bdf92fdf9ef5ddab@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pppoe.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -620,6 +620,10 @@ static int pppoe_connect(struct socket *
+       lock_sock(sk);
+ 
+       error = -EINVAL;
++
++      if (sockaddr_len != sizeof(struct sockaddr_pppox))
++              goto end;
++
+       if (sp->sa_protocol != PX_PROTO_OE)
+               goto end;
+ 

diff --git a/queue-4.14/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch b/queue-4.14/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch
new file mode 100644 (file)
index 0000000..2675fc7
--- /dev/null
+++ b/queue-4.14/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch
@@ -0,0 +1,136 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 12 Apr 2018 14:24:31 +0800
+Subject: sctp: do not check port in sctp_inet6_cmp_addr
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 1071ec9d453a38023579714b64a951a2fb982071 ]
+
+pf->cmp_addr() is called before binding a v6 address to the sock. It
+should not check ports, like in sctp_inet_cmp_addr.
+
+But sctp_inet6_cmp_addr checks the addr by invoking af(6)->cmp_addr,
+sctp_v6_cmp_addr where it also compares the ports.
+
+This would cause that setsockopt(SCTP_SOCKOPT_BINDX_ADD) could bind
+multiple duplicated IPv6 addresses after Commit 40b4f0fd74e4 ("sctp:
+lack the check for ports in sctp_v6_cmp_addr").
+
+This patch is to remove af->cmp_addr called in sctp_inet6_cmp_addr,
+but do the proper check for both v6 addrs and v4mapped addrs.
+
+v1->v2:
+  - define __sctp_v6_cmp_addr to do the common address comparison
+    used for both pf and af v6 cmp_addr.
+
+Fixes: 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr")
+Reported-by: Jianwen Ji <jiji@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c |   60 ++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 30 insertions(+), 30 deletions(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -521,46 +521,49 @@ static void sctp_v6_to_addr(union sctp_a
+       addr->v6.sin6_scope_id = 0;
+ }
+ 
+-/* Compare addresses exactly.
+- * v4-mapped-v6 is also in consideration.
+- */
+-static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
+-                          const union sctp_addr *addr2)
++static int __sctp_v6_cmp_addr(const union sctp_addr *addr1,
++                            const union sctp_addr *addr2)
+ {
+       if (addr1->sa.sa_family != addr2->sa.sa_family) {
+               if (addr1->sa.sa_family == AF_INET &&
+                   addr2->sa.sa_family == AF_INET6 &&
+-                  ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) {
+-                      if (addr2->v6.sin6_port == addr1->v4.sin_port &&
+-                          addr2->v6.sin6_addr.s6_addr32[3] ==
+-                          addr1->v4.sin_addr.s_addr)
+-                              return 1;
+-              }
++                  ipv6_addr_v4mapped(&addr2->v6.sin6_addr) &&
++                  addr2->v6.sin6_addr.s6_addr32[3] ==
++                  addr1->v4.sin_addr.s_addr)
++                      return 1;
++
+               if (addr2->sa.sa_family == AF_INET &&
+                   addr1->sa.sa_family == AF_INET6 &&
+-                  ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) {
+-                      if (addr1->v6.sin6_port == addr2->v4.sin_port &&
+-                          addr1->v6.sin6_addr.s6_addr32[3] ==
+-                          addr2->v4.sin_addr.s_addr)
+-                              return 1;
+-              }
++                  ipv6_addr_v4mapped(&addr1->v6.sin6_addr) &&
++                  addr1->v6.sin6_addr.s6_addr32[3] ==
++                  addr2->v4.sin_addr.s_addr)
++                      return 1;
++
+               return 0;
+       }
+-      if (addr1->v6.sin6_port != addr2->v6.sin6_port)
+-              return 0;
++
+       if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr))
+               return 0;
++
+       /* If this is a linklocal address, compare the scope_id. */
+-      if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
+-              if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
+-                  (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) {
+-                      return 0;
+-              }
+-      }
++      if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) &&
++          addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
++          addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)
++              return 0;
+ 
+       return 1;
+ }
+ 
++/* Compare addresses exactly.
++ * v4-mapped-v6 is also in consideration.
++ */
++static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
++                          const union sctp_addr *addr2)
++{
++      return __sctp_v6_cmp_addr(addr1, addr2) &&
++             addr1->v6.sin6_port == addr2->v6.sin6_port;
++}
++
+ /* Initialize addr struct to INADDR_ANY. */
+ static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port)
+ {
+@@ -845,8 +848,8 @@ static int sctp_inet6_cmp_addr(const uni
+                              const union sctp_addr *addr2,
+                              struct sctp_sock *opt)
+ {
+-      struct sctp_af *af1, *af2;
+       struct sock *sk = sctp_opt2sk(opt);
++      struct sctp_af *af1, *af2;
+ 
+       af1 = sctp_get_af_specific(addr1->sa.sa_family);
+       af2 = sctp_get_af_specific(addr2->sa.sa_family);
+@@ -862,10 +865,7 @@ static int sctp_inet6_cmp_addr(const uni
+       if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2))
+               return 1;
+ 
+-      if (addr1->sa.sa_family != addr2->sa.sa_family)
+-              return 0;
+-
+-      return af1->cmp_addr(addr1, addr2);
++      return __sctp_v6_cmp_addr(addr1, addr2);
+ }
+ 
+ /* Verify that the provided sockaddr looks bindable.   Common verification,

diff --git a/queue-4.14/series b/queue-4.14/series
index aaf3b267b2ce0a5c60ec662fb76c6aca1191013e..1a4702b3ae7cf449f7ae5b835c6578cfd83b5dcf 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -5,3 +5,36 @@ tpm-cmd_ready-command-can-be-issued-only-after-granting-locality.patch
 tpm-tpm-interface-fix-tpm_transmit-_cmd-kdoc.patch
 tpm-add-retry-logic.patch
 revert-ath10k-send-re-assoc-peer-command-when-nss-changed.patch
+bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch
+ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch
+ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch
+keys-dns-limit-the-length-of-option-strings.patch
+l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
+net-validate-attribute-sizes-in-neigh_dump_table.patch
+llc-delete-timers-synchronously-in-llc_sk_free.patch
+tcp-don-t-read-out-of-bounds-opsize.patch
+net-af_packet-fix-race-in-packet_-r-t-x_ring.patch
+tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch
+net-fix-deadlock-while-clearing-neighbor-proxy-table.patch
+team-avoid-adding-twice-the-same-option-to-the-event-list.patch
+net-smc-fix-shutdown-in-state-smc_listen.patch
+team-fix-netconsole-setup-over-team.patch
+packet-fix-bitfield-update-race.patch
+tipc-add-policy-for-tipc_nla_net_addr.patch
+pppoe-check-sockaddr-length-in-pppoe_connect.patch
+vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch
+amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch
+sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch
+amd-xgbe-improve-kr-auto-negotiation-and-training.patch
+strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch
+amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch
+strparser-fix-incorrect-strp-need_bytes-value.patch
+net-sched-ife-signal-not-finding-metaid.patch
+tcp-clear-tp-packets_out-when-purging-write-queue.patch
+net-sched-ife-handle-malformed-tlv-length.patch
+net-sched-ife-check-on-metadata-length.patch
+llc-hold-llc_sap-before-release_sock.patch
+llc-fix-null-pointer-deref-for-sock_zapped.patch
+net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch
+virtio_net-split-out-ctrl-buffer.patch
+virtio_net-fix-adding-vids-on-big-endian.patch

diff --git a/queue-4.14/strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch b/queue-4.14/strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch
new file mode 100644 (file)
index 0000000..59dc591
--- /dev/null
+++ b/queue-4.14/strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch
@@ -0,0 +1,41 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Doron Roberts-Kedes <doronrk@fb.com>
+Date: Fri, 20 Apr 2018 12:11:11 -0700
+Subject: strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
+
+From: Doron Roberts-Kedes <doronrk@fb.com>
+
+
+[ Upstream commit 7c5aba211dd61f41d737a2c51729eb9fdcd3edf4 ]
+
+struct sock's sk_rcvtimeo is initialized to
+LONG_MAX/MAX_SCHEDULE_TIMEOUT in sock_init_data. Calling
+mod_delayed_work with a timeout of LONG_MAX causes spurious execution of
+the work function. timer->expires is set equal to jiffies + LONG_MAX.
+When timer_base->clk falls behind the current value of jiffies,
+the delta between timer_base->clk and jiffies + LONG_MAX causes the
+expiration to be in the past. Returning early from strp_start_timer if
+timeo == LONG_MAX solves this problem.
+
+Found while testing net/tls_sw recv path.
+
+Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
+Reviewed-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -67,7 +67,7 @@ static void strp_abort_strp(struct strpa
+ 
+ static void strp_start_timer(struct strparser *strp, long timeo)
+ {
+-      if (timeo)
++      if (timeo && timeo != LONG_MAX)
+               mod_delayed_work(strp_wq, &strp->msg_timer_work, timeo);
+ }
+ 

diff --git a/queue-4.14/strparser-fix-incorrect-strp-need_bytes-value.patch b/queue-4.14/strparser-fix-incorrect-strp-need_bytes-value.patch
new file mode 100644 (file)
index 0000000..9926c1f
--- /dev/null
+++ b/queue-4.14/strparser-fix-incorrect-strp-need_bytes-value.patch
@@ -0,0 +1,70 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Doron Roberts-Kedes <doronrk@fb.com>
+Date: Wed, 11 Apr 2018 15:05:16 -0700
+Subject: strparser: Fix incorrect strp->need_bytes value.
+
+From: Doron Roberts-Kedes <doronrk@fb.com>
+
+
+[ Upstream commit 9d0c75bf6e03d9bf80c55b0f677dc9b982958fd5 ]
+
+strp_data_ready resets strp->need_bytes to 0 if strp_peek_len indicates
+that the remainder of the message has been received. However,
+do_strp_work does not reset strp->need_bytes to 0. If do_strp_work
+completes a partial message, the value of strp->need_bytes will continue
+to reflect the needed bytes of the previous message, causing
+future invocations of strp_data_ready to return early if
+strp->need_bytes is less than strp_peek_len. Resetting strp->need_bytes
+to 0 in __strp_recv on handing a full message to the upper layer solves
+this problem.
+
+__strp_recv also calculates strp->need_bytes using stm->accum_len before
+stm->accum_len has been incremented by cand_len. This can cause
+strp->need_bytes to be equal to the full length of the message instead
+of the full length minus the accumulated length. This, in turn, causes
+strp_data_ready to return early, even when there is sufficient data to
+complete the partial message. Incrementing stm->accum_len before using
+it to calculate strp->need_bytes solves this problem.
+
+Found while testing net/tls_sw recv path.
+
+Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
+Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -296,9 +296,9 @@ static int __strp_recv(read_descriptor_t
+                                       strp_start_timer(strp, timeo);
+                               }
+ 
++                              stm->accum_len += cand_len;
+                               strp->need_bytes = stm->strp.full_len -
+                                                      stm->accum_len;
+-                              stm->accum_len += cand_len;
+                               stm->early_eaten = cand_len;
+                               STRP_STATS_ADD(strp->stats.bytes, cand_len);
+                               desc->count = 0; /* Stop reading socket */
+@@ -321,6 +321,7 @@ static int __strp_recv(read_descriptor_t
+               /* Hurray, we have a new message! */
+               cancel_delayed_work(&strp->msg_timer_work);
+               strp->skb_head = NULL;
++              strp->need_bytes = 0;
+               STRP_STATS_INCR(strp->stats.msgs);
+ 
+               /* Give skb to upper layer */
+@@ -410,9 +411,7 @@ void strp_data_ready(struct strparser *s
+               return;
+ 
+       if (strp->need_bytes) {
+-              if (strp_peek_len(strp) >= strp->need_bytes)
+-                      strp->need_bytes = 0;
+-              else
++              if (strp_peek_len(strp) < strp->need_bytes)
+                       return;
+       }
+ 

diff --git a/queue-4.14/tcp-clear-tp-packets_out-when-purging-write-queue.patch b/queue-4.14/tcp-clear-tp-packets_out-when-purging-write-queue.patch
new file mode 100644 (file)
index 0000000..22e4f78
--- /dev/null
+++ b/queue-4.14/tcp-clear-tp-packets_out-when-purging-write-queue.patch
@@ -0,0 +1,50 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Soheil Hassas Yeganeh <soheil@google.com>
+Date: Sat, 14 Apr 2018 20:45:20 -0400
+Subject: tcp: clear tp->packets_out when purging write queue
+
+From: Soheil Hassas Yeganeh <soheil@google.com>
+
+
+Clear tp->packets_out when purging the write queue, otherwise
+tcp_rearm_rto() mistakenly assumes TCP write queue is not empty.
+This results in NULL pointer dereference.
+
+Also, remove the redundant `tp->packets_out = 0` from
+tcp_disconnect(), since tcp_disconnect() calls
+tcp_write_queue_purge().
+
+Fixes: a27fd7a8ed38 (tcp: purge write queue upon RST)
+Reported-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Reported-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
+Tested-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h |    1 +
+ net/ipv4/tcp.c    |    1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1616,6 +1616,7 @@ static inline void tcp_write_queue_purge
+       sk_mem_reclaim(sk);
+       tcp_clear_all_retrans_hints(tcp_sk(sk));
+       tcp_init_send_head(sk);
++      tcp_sk(sk)->packets_out = 0;
+ }
+ 
+ static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk)
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2354,7 +2354,6 @@ int tcp_disconnect(struct sock *sk, int
+       icsk->icsk_backoff = 0;
+       tp->snd_cwnd = 2;
+       icsk->icsk_probes_out = 0;
+-      tp->packets_out = 0;
+       tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+       tp->snd_cwnd_cnt = 0;
+       tp->window_clamp = 0;

diff --git a/queue-4.14/tcp-don-t-read-out-of-bounds-opsize.patch b/queue-4.14/tcp-don-t-read-out-of-bounds-opsize.patch
new file mode 100644 (file)
index 0000000..b35f05d
--- /dev/null
+++ b/queue-4.14/tcp-don-t-read-out-of-bounds-opsize.patch
@@ -0,0 +1,181 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Fri, 20 Apr 2018 15:57:30 +0200
+Subject: tcp: don't read out-of-bounds opsize
+
+From: Jann Horn <jannh@google.com>
+
+
+[ Upstream commit 7e5a206ab686f098367b61aca989f5cdfa8114a3 ]
+
+The old code reads the "opsize" variable from out-of-bounds memory (first
+byte behind the segment) if a broken TCP segment ends directly after an
+opcode that is neither EOL nor NOP.
+
+The result of the read isn't used for anything, so the worst thing that
+could theoretically happen is a pagefault; and since the physmap is usually
+mostly contiguous, even that seems pretty unlikely.
+
+The following C reproducer triggers the uninitialized read - however, you
+can't actually see anything happen unless you put something like a
+pr_warn() in tcp_parse_md5sig_option() to print the opsize.
+
+====================================
+#define _GNU_SOURCE
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <net/if.h>
+#include <linux/if.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/in.h>
+#include <linux/if_tun.h>
+#include <err.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <assert.h>
+
+void systemf(const char *command, ...) {
+  char *full_command;
+  va_list ap;
+  va_start(ap, command);
+  if (vasprintf(&full_command, command, ap) == -1)
+    err(1, "vasprintf");
+  va_end(ap);
+  printf("systemf: <<<%s>>>\n", full_command);
+  system(full_command);
+}
+
+char *devname;
+
+int tun_alloc(char *name) {
+  int fd = open("/dev/net/tun", O_RDWR);
+  if (fd == -1)
+    err(1, "open tun dev");
+  static struct ifreq req = { .ifr_flags = IFF_TUN|IFF_NO_PI };
+  strcpy(req.ifr_name, name);
+  if (ioctl(fd, TUNSETIFF, &req))
+    err(1, "TUNSETIFF");
+  devname = req.ifr_name;
+  printf("device name: %s\n", devname);
+  return fd;
+}
+
+#define IPADDR(a,b,c,d) (((a)<<0)+((b)<<8)+((c)<<16)+((d)<<24))
+
+void sum_accumulate(unsigned int *sum, void *data, int len) {
+  assert((len&2)==0);
+  for (int i=0; i<len/2; i++) {
+    *sum += ntohs(((unsigned short *)data)[i]);
+  }
+}
+
+unsigned short sum_final(unsigned int sum) {
+  sum = (sum >> 16) + (sum & 0xffff);
+  sum = (sum >> 16) + (sum & 0xffff);
+  return htons(~sum);
+}
+
+void fix_ip_sum(struct iphdr *ip) {
+  unsigned int sum = 0;
+  sum_accumulate(&sum, ip, sizeof(*ip));
+  ip->check = sum_final(sum);
+}
+
+void fix_tcp_sum(struct iphdr *ip, struct tcphdr *tcp) {
+  unsigned int sum = 0;
+  struct {
+    unsigned int saddr;
+    unsigned int daddr;
+    unsigned char pad;
+    unsigned char proto_num;
+    unsigned short tcp_len;
+  } fakehdr = {
+    .saddr = ip->saddr,
+    .daddr = ip->daddr,
+    .proto_num = ip->protocol,
+    .tcp_len = htons(ntohs(ip->tot_len) - ip->ihl*4)
+  };
+  sum_accumulate(&sum, &fakehdr, sizeof(fakehdr));
+  sum_accumulate(&sum, tcp, tcp->doff*4);
+  tcp->check = sum_final(sum);
+}
+
+int main(void) {
+  int tun_fd = tun_alloc("inject_dev%d");
+  systemf("ip link set %s up", devname);
+  systemf("ip addr add 192.168.42.1/24 dev %s", devname);
+
+  struct {
+    struct iphdr ip;
+    struct tcphdr tcp;
+    unsigned char tcp_opts[20];
+  } __attribute__((packed)) syn_packet = {
+    .ip = {
+      .ihl = sizeof(struct iphdr)/4,
+      .version = 4,
+      .tot_len = htons(sizeof(syn_packet)),
+      .ttl = 30,
+      .protocol = IPPROTO_TCP,
+      /* FIXUP check */
+      .saddr = IPADDR(192,168,42,2),
+      .daddr = IPADDR(192,168,42,1)
+    },
+    .tcp = {
+      .source = htons(1),
+      .dest = htons(1337),
+      .seq = 0x12345678,
+      .doff = (sizeof(syn_packet.tcp)+sizeof(syn_packet.tcp_opts))/4,
+      .syn = 1,
+      .window = htons(64),
+      .check = 0 /*FIXUP*/
+    },
+    .tcp_opts = {
+      /* INVALID: trailing MD5SIG opcode after NOPs */
+      1, 1, 1, 1, 1,
+      1, 1, 1, 1, 1,
+      1, 1, 1, 1, 1,
+      1, 1, 1, 1, 19
+    }
+  };
+  fix_ip_sum(&syn_packet.ip);
+  fix_tcp_sum(&syn_packet.ip, &syn_packet.tcp);
+  while (1) {
+    int write_res = write(tun_fd, &syn_packet, sizeof(syn_packet));
+    if (write_res != sizeof(syn_packet))
+      err(1, "packet write failed");
+  }
+}
+====================================
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c |    7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3892,11 +3892,8 @@ const u8 *tcp_parse_md5sig_option(const
+       int length = (th->doff << 2) - sizeof(*th);
+       const u8 *ptr = (const u8 *)(th + 1);
+ 
+-      /* If the TCP option is too short, we can short cut */
+-      if (length < TCPOLEN_MD5SIG)
+-              return NULL;
+-
+-      while (length > 0) {
++      /* If not enough data remaining, we can short cut */
++      while (length >= TCPOLEN_MD5SIG) {
+               int opcode = *ptr++;
+               int opsize;
+ 

diff --git a/queue-4.14/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch b/queue-4.14/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch
new file mode 100644 (file)
index 0000000..c2f07f2
--- /dev/null
+++ b/queue-4.14/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch
@@ -0,0 +1,110 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Apr 2018 14:36:28 -0700
+Subject: tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7212303268918b9a203aebeacfdbd83b5e87b20d ]
+
+syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1]
+
+I believe this was caused by a TCP_MD5SIG being set on live
+flow.
+
+This is highly unexpected, since TCP option space is limited.
+
+For instance, presence of TCP MD5 option automatically disables
+TCP TimeStamp option at SYN/SYNACK time, which we can not do
+once flow has been established.
+
+Really, adding/deleting an MD5 key only makes sense on sockets
+in CLOSE or LISTEN state.
+
+[1]
+BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
+CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
+ tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline]
+ tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184
+ tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453
+ tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
+ SyS_sendto+0x8a/0xb0 net/socket.c:1715
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x448fe9
+RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9
+RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004
+RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010
+R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000
+R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624
+ __tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline]
+ tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline]
+ tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469
+ tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
+ SyS_sendto+0x8a/0xb0 net/socket.c:1715
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2742,8 +2742,10 @@ static int do_tcp_setsockopt(struct sock
+ #ifdef CONFIG_TCP_MD5SIG
+       case TCP_MD5SIG:
+       case TCP_MD5SIG_EXT:
+-              /* Read the IP->Key mappings from userspace */
+-              err = tp->af_specific->md5_parse(sk, optname, optval, optlen);
++              if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
++                      err = tp->af_specific->md5_parse(sk, optname, optval, optlen);
++              else
++                      err = -EINVAL;
+               break;
+ #endif
+       case TCP_USER_TIMEOUT:

diff --git a/queue-4.14/team-avoid-adding-twice-the-same-option-to-the-event-list.patch b/queue-4.14/team-avoid-adding-twice-the-same-option-to-the-event-list.patch
new file mode 100644 (file)
index 0000000..10ae699
--- /dev/null
+++ b/queue-4.14/team-avoid-adding-twice-the-same-option-to-the-event-list.patch
@@ -0,0 +1,118 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 13 Apr 2018 13:59:25 +0200
+Subject: team: avoid adding twice the same option to the event list
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+
+[ Upstream commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 ]
+
+When parsing the options provided by the user space,
+team_nl_cmd_options_set() insert them in a temporary list to send
+multiple events with a single message.
+While each option's attribute is correctly validated, the code does
+not check for duplicate entries before inserting into the event
+list.
+
+Exploiting the above, the syzbot was able to trigger the following
+splat:
+
+kernel BUG at lib/list_debug.c:31!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+    (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29
+RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286
+RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000
+RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f
+RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90
+R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90
+R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000
+FS:  0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+  __list_add include/linux/list.h:60 [inline]
+  list_add include/linux/list.h:79 [inline]
+  team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571
+  genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599
+  genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624
+  netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
+  genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
+  netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+  netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
+  netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
+  sock_sendmsg_nosec net/socket.c:629 [inline]
+  sock_sendmsg+0xd5/0x120 net/socket.c:639
+  ___sys_sendmsg+0x805/0x940 net/socket.c:2117
+  __sys_sendmsg+0x115/0x270 net/socket.c:2155
+  SYSC_sendmsg net/socket.c:2164 [inline]
+  SyS_sendmsg+0x29/0x30 net/socket.c:2162
+  do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+  entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4458b9
+RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9
+RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004
+RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348
+R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000
+Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48
+89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f
+40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41
+RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248
+
+This changeset addresses the avoiding list_add() if the current
+option is already present in the event list.
+
+Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c |   19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -261,6 +261,17 @@ static void __team_option_inst_mark_remo
+       }
+ }
+ 
++static bool __team_option_inst_tmp_find(const struct list_head *opts,
++                                      const struct team_option_inst *needle)
++{
++      struct team_option_inst *opt_inst;
++
++      list_for_each_entry(opt_inst, opts, tmp_list)
++              if (opt_inst == needle)
++                      return true;
++      return false;
++}
++
+ static int __team_options_register(struct team *team,
+                                  const struct team_option *option,
+                                  size_t option_count)
+@@ -2561,6 +2572,14 @@ static int team_nl_cmd_options_set(struc
+                       if (err)
+                               goto team_put;
+                       opt_inst->changed = true;
++
++                      /* dumb/evil user-space can send us duplicate opt,
++                       * keep only the last one
++                       */
++                      if (__team_option_inst_tmp_find(&opt_inst_list,
++                                                      opt_inst))
++                              continue;
++
+                       list_add(&opt_inst->tmp_list, &opt_inst_list);
+               }
+               if (!opt_found) {

diff --git a/queue-4.14/team-fix-netconsole-setup-over-team.patch b/queue-4.14/team-fix-netconsole-setup-over-team.patch
new file mode 100644 (file)
index 0000000..9c9c327
--- /dev/null
+++ b/queue-4.14/team-fix-netconsole-setup-over-team.patch
@@ -0,0 +1,88 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 24 Apr 2018 14:33:37 +0800
+Subject: team: fix netconsole setup over team
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 9cf2f437ca5b39828984064fad213e68fc17ef11 ]
+
+The same fix in Commit dbe173079ab5 ("bridge: fix netconsole
+setup over bridge") is also needed for team driver.
+
+While at it, remove the unnecessary parameter *team from
+team_port_enable_netpoll().
+
+v1->v2:
+  - fix it in a better way, as does bridge.
+
+Fixes: 0fb52a27a04a ("team: cleanup netpoll clode")
+Reported-by: João Avelino Bellomo Filho <jbellomo@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c |   19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1072,14 +1072,11 @@ static void team_port_leave(struct team
+ }
+ 
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
++static int __team_port_enable_netpoll(struct team_port *port)
+ {
+       struct netpoll *np;
+       int err;
+ 
+-      if (!team->dev->npinfo)
+-              return 0;
+-
+       np = kzalloc(sizeof(*np), GFP_KERNEL);
+       if (!np)
+               return -ENOMEM;
+@@ -1093,6 +1090,14 @@ static int team_port_enable_netpoll(stru
+       return err;
+ }
+ 
++static int team_port_enable_netpoll(struct team_port *port)
++{
++      if (!port->team->dev->npinfo)
++              return 0;
++
++      return __team_port_enable_netpoll(port);
++}
++
+ static void team_port_disable_netpoll(struct team_port *port)
+ {
+       struct netpoll *np = port->np;
+@@ -1107,7 +1112,7 @@ static void team_port_disable_netpoll(st
+       kfree(np);
+ }
+ #else
+-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
++static int team_port_enable_netpoll(struct team_port *port)
+ {
+       return 0;
+ }
+@@ -1215,7 +1220,7 @@ static int team_port_add(struct team *te
+               goto err_vids_add;
+       }
+ 
+-      err = team_port_enable_netpoll(team, port);
++      err = team_port_enable_netpoll(port);
+       if (err) {
+               netdev_err(dev, "Failed to enable netpoll on device %s\n",
+                          portname);
+@@ -1912,7 +1917,7 @@ static int team_netpoll_setup(struct net
+ 
+       mutex_lock(&team->lock);
+       list_for_each_entry(port, &team->port_list, list) {
+-              err = team_port_enable_netpoll(team, port);
++              err = __team_port_enable_netpoll(port);
+               if (err) {
+                       __team_netpoll_cleanup(team);
+                       break;

diff --git a/queue-4.14/tipc-add-policy-for-tipc_nla_net_addr.patch b/queue-4.14/tipc-add-policy-for-tipc_nla_net_addr.patch
new file mode 100644 (file)
index 0000000..c80977f
--- /dev/null
+++ b/queue-4.14/tipc-add-policy-for-tipc_nla_net_addr.patch
@@ -0,0 +1,34 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 16 Apr 2018 08:29:42 -0700
+Subject: tipc: add policy for TIPC_NLA_NET_ADDR
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit ec518f21cb1a1b1f8a516499ea05c60299e04963 ]
+
+Before syzbot/KMSAN bites, add the missing policy for TIPC_NLA_NET_ADDR
+
+Fixes: 27c21416727a ("tipc: add net set to new netlink api")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink.c
++++ b/net/tipc/netlink.c
+@@ -79,7 +79,8 @@ const struct nla_policy tipc_nl_sock_pol
+ 
+ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
+       [TIPC_NLA_NET_UNSPEC]           = { .type = NLA_UNSPEC },
+-      [TIPC_NLA_NET_ID]               = { .type = NLA_U32 }
++      [TIPC_NLA_NET_ID]               = { .type = NLA_U32 },
++      [TIPC_NLA_NET_ADDR]             = { .type = NLA_U32 },
+ };
+ 
+ const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {

diff --git a/queue-4.14/virtio_net-fix-adding-vids-on-big-endian.patch b/queue-4.14/virtio_net-fix-adding-vids-on-big-endian.patch
new file mode 100644 (file)
index 0000000..687a6b1
--- /dev/null
+++ b/queue-4.14/virtio_net-fix-adding-vids-on-big-endian.patch
@@ -0,0 +1,55 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 19 Apr 2018 08:30:49 +0300
+Subject: virtio_net: fix adding vids on big-endian
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+
+[ Upstream commit d7fad4c840f33a6bd333dd7fbb3006edbcf0017a ]
+
+Programming vids (adding or removing them) still passes
+guest-endian values in the DMA buffer. That's wrong
+if guest is big-endian and when virtio 1 is enabled.
+
+Note: this is on top of a previous patch:
+       virtio_net: split out ctrl buffer
+
+Fixes: 9465a7a6f ("virtio_net: enable v1.0 support")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -123,7 +123,7 @@ struct control_buf {
+       struct virtio_net_ctrl_mq mq;
+       u8 promisc;
+       u8 allmulti;
+-      u16 vid;
++      __virtio16 vid;
+       u64 offloads;
+ };
+ 
+@@ -1602,7 +1602,7 @@ static int virtnet_vlan_rx_add_vid(struc
+       struct virtnet_info *vi = netdev_priv(dev);
+       struct scatterlist sg;
+ 
+-      vi->ctrl->vid = vid;
++      vi->ctrl->vid = cpu_to_virtio16(vi->vdev, vid);
+       sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid));
+ 
+       if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN,
+@@ -1617,7 +1617,7 @@ static int virtnet_vlan_rx_kill_vid(stru
+       struct virtnet_info *vi = netdev_priv(dev);
+       struct scatterlist sg;
+ 
+-      vi->ctrl->vid = vid;
++      vi->ctrl->vid = cpu_to_virtio16(vi->vdev, vid);
+       sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid));
+ 
+       if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN,

diff --git a/queue-4.14/virtio_net-split-out-ctrl-buffer.patch b/queue-4.14/virtio_net-split-out-ctrl-buffer.patch
new file mode 100644 (file)
index 0000000..96a2999
--- /dev/null
+++ b/queue-4.14/virtio_net-split-out-ctrl-buffer.patch
@@ -0,0 +1,206 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 19 Apr 2018 08:30:48 +0300
+Subject: virtio_net: split out ctrl buffer
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+
+[ Upstream commit 12e571693837d6164bda61e316b1944972ee0d97 ]
+
+When sending control commands, virtio net sets up several buffers for
+DMA. The buffers are all part of the net device which means it's
+actually allocated by kvmalloc so it's in theory (on extreme memory
+pressure) possible to get a vmalloc'ed buffer which on some platforms
+means we can't DMA there.
+
+Fix up by moving the DMA buffers into a separate structure.
+
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c |   68 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 39 insertions(+), 29 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -116,6 +116,17 @@ struct receive_queue {
+       char name[40];
+ };
+ 
++/* Control VQ buffers: protected by the rtnl lock */
++struct control_buf {
++      struct virtio_net_ctrl_hdr hdr;
++      virtio_net_ctrl_ack status;
++      struct virtio_net_ctrl_mq mq;
++      u8 promisc;
++      u8 allmulti;
++      u16 vid;
++      u64 offloads;
++};
++
+ struct virtnet_info {
+       struct virtio_device *vdev;
+       struct virtqueue *cvq;
+@@ -164,14 +175,7 @@ struct virtnet_info {
+       struct hlist_node node;
+       struct hlist_node node_dead;
+ 
+-      /* Control VQ buffers: protected by the rtnl lock */
+-      struct virtio_net_ctrl_hdr ctrl_hdr;
+-      virtio_net_ctrl_ack ctrl_status;
+-      struct virtio_net_ctrl_mq ctrl_mq;
+-      u8 ctrl_promisc;
+-      u8 ctrl_allmulti;
+-      u16 ctrl_vid;
+-      u64 ctrl_offloads;
++      struct control_buf *ctrl;
+ 
+       /* Ethtool settings */
+       u8 duplex;
+@@ -1340,25 +1344,25 @@ static bool virtnet_send_command(struct
+       /* Caller should know better */
+       BUG_ON(!virtio_has_feature(vi->vdev, VIRTIO_NET_F_CTRL_VQ));
+ 
+-      vi->ctrl_status = ~0;
+-      vi->ctrl_hdr.class = class;
+-      vi->ctrl_hdr.cmd = cmd;
++      vi->ctrl->status = ~0;
++      vi->ctrl->hdr.class = class;
++      vi->ctrl->hdr.cmd = cmd;
+       /* Add header */
+-      sg_init_one(&hdr, &vi->ctrl_hdr, sizeof(vi->ctrl_hdr));
++      sg_init_one(&hdr, &vi->ctrl->hdr, sizeof(vi->ctrl->hdr));
+       sgs[out_num++] = &hdr;
+ 
+       if (out)
+               sgs[out_num++] = out;
+ 
+       /* Add return status. */
+-      sg_init_one(&stat, &vi->ctrl_status, sizeof(vi->ctrl_status));
++      sg_init_one(&stat, &vi->ctrl->status, sizeof(vi->ctrl->status));
+       sgs[out_num] = &stat;
+ 
+       BUG_ON(out_num + 1 > ARRAY_SIZE(sgs));
+       virtqueue_add_sgs(vi->cvq, sgs, out_num, 1, vi, GFP_ATOMIC);
+ 
+       if (unlikely(!virtqueue_kick(vi->cvq)))
+-              return vi->ctrl_status == VIRTIO_NET_OK;
++              return vi->ctrl->status == VIRTIO_NET_OK;
+ 
+       /* Spin for a response, the kick causes an ioport write, trapping
+        * into the hypervisor, so the request should be handled immediately.
+@@ -1367,7 +1371,7 @@ static bool virtnet_send_command(struct
+              !virtqueue_is_broken(vi->cvq))
+               cpu_relax();
+ 
+-      return vi->ctrl_status == VIRTIO_NET_OK;
++      return vi->ctrl->status == VIRTIO_NET_OK;
+ }
+ 
+ static int virtnet_set_mac_address(struct net_device *dev, void *p)
+@@ -1478,8 +1482,8 @@ static int _virtnet_set_queues(struct vi
+       if (!vi->has_cvq || !virtio_has_feature(vi->vdev, VIRTIO_NET_F_MQ))
+               return 0;
+ 
+-      vi->ctrl_mq.virtqueue_pairs = cpu_to_virtio16(vi->vdev, queue_pairs);
+-      sg_init_one(&sg, &vi->ctrl_mq, sizeof(vi->ctrl_mq));
++      vi->ctrl->mq.virtqueue_pairs = cpu_to_virtio16(vi->vdev, queue_pairs);
++      sg_init_one(&sg, &vi->ctrl->mq, sizeof(vi->ctrl->mq));
+ 
+       if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_MQ,
+                                 VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET, &sg)) {
+@@ -1537,22 +1541,22 @@ static void virtnet_set_rx_mode(struct n
+       if (!virtio_has_feature(vi->vdev, VIRTIO_NET_F_CTRL_RX))
+               return;
+ 
+-      vi->ctrl_promisc = ((dev->flags & IFF_PROMISC) != 0);
+-      vi->ctrl_allmulti = ((dev->flags & IFF_ALLMULTI) != 0);
++      vi->ctrl->promisc = ((dev->flags & IFF_PROMISC) != 0);
++      vi->ctrl->allmulti = ((dev->flags & IFF_ALLMULTI) != 0);
+ 
+-      sg_init_one(sg, &vi->ctrl_promisc, sizeof(vi->ctrl_promisc));
++      sg_init_one(sg, &vi->ctrl->promisc, sizeof(vi->ctrl->promisc));
+ 
+       if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_RX,
+                                 VIRTIO_NET_CTRL_RX_PROMISC, sg))
+               dev_warn(&dev->dev, "Failed to %sable promisc mode.\n",
+-                       vi->ctrl_promisc ? "en" : "dis");
++                       vi->ctrl->promisc ? "en" : "dis");
+ 
+-      sg_init_one(sg, &vi->ctrl_allmulti, sizeof(vi->ctrl_allmulti));
++      sg_init_one(sg, &vi->ctrl->allmulti, sizeof(vi->ctrl->allmulti));
+ 
+       if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_RX,
+                                 VIRTIO_NET_CTRL_RX_ALLMULTI, sg))
+               dev_warn(&dev->dev, "Failed to %sable allmulti mode.\n",
+-                       vi->ctrl_allmulti ? "en" : "dis");
++                       vi->ctrl->allmulti ? "en" : "dis");
+ 
+       uc_count = netdev_uc_count(dev);
+       mc_count = netdev_mc_count(dev);
+@@ -1598,8 +1602,8 @@ static int virtnet_vlan_rx_add_vid(struc
+       struct virtnet_info *vi = netdev_priv(dev);
+       struct scatterlist sg;
+ 
+-      vi->ctrl_vid = vid;
+-      sg_init_one(&sg, &vi->ctrl_vid, sizeof(vi->ctrl_vid));
++      vi->ctrl->vid = vid;
++      sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid));
+ 
+       if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN,
+                                 VIRTIO_NET_CTRL_VLAN_ADD, &sg))
+@@ -1613,8 +1617,8 @@ static int virtnet_vlan_rx_kill_vid(stru
+       struct virtnet_info *vi = netdev_priv(dev);
+       struct scatterlist sg;
+ 
+-      vi->ctrl_vid = vid;
+-      sg_init_one(&sg, &vi->ctrl_vid, sizeof(vi->ctrl_vid));
++      vi->ctrl->vid = vid;
++      sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid));
+ 
+       if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN,
+                                 VIRTIO_NET_CTRL_VLAN_DEL, &sg))
+@@ -1912,9 +1916,9 @@ static int virtnet_restore_up(struct vir
+ static int virtnet_set_guest_offloads(struct virtnet_info *vi, u64 offloads)
+ {
+       struct scatterlist sg;
+-      vi->ctrl_offloads = cpu_to_virtio64(vi->vdev, offloads);
++      vi->ctrl->offloads = cpu_to_virtio64(vi->vdev, offloads);
+ 
+-      sg_init_one(&sg, &vi->ctrl_offloads, sizeof(vi->ctrl_offloads));
++      sg_init_one(&sg, &vi->ctrl->offloads, sizeof(vi->ctrl->offloads));
+ 
+       if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_GUEST_OFFLOADS,
+                                 VIRTIO_NET_CTRL_GUEST_OFFLOADS_SET, &sg)) {
+@@ -2134,6 +2138,7 @@ static void virtnet_free_queues(struct v
+ 
+       kfree(vi->rq);
+       kfree(vi->sq);
++      kfree(vi->ctrl);
+ }
+ 
+ static void _free_receive_bufs(struct virtnet_info *vi)
+@@ -2326,6 +2331,9 @@ static int virtnet_alloc_queues(struct v
+ {
+       int i;
+ 
++      vi->ctrl = kzalloc(sizeof(*vi->ctrl), GFP_KERNEL);
++      if (!vi->ctrl)
++              goto err_ctrl;
+       vi->sq = kzalloc(sizeof(*vi->sq) * vi->max_queue_pairs, GFP_KERNEL);
+       if (!vi->sq)
+               goto err_sq;
+@@ -2351,6 +2359,8 @@ static int virtnet_alloc_queues(struct v
+ err_rq:
+       kfree(vi->sq);
+ err_sq:
++      kfree(vi->ctrl);
++err_ctrl:
+       return -ENOMEM;
+ }
+ 

diff --git a/queue-4.14/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch b/queue-4.14/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch
new file mode 100644 (file)
index 0000000..bf7e133
--- /dev/null
+++ b/queue-4.14/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch
@@ -0,0 +1,135 @@
+From foo@baz Thu Apr 26 20:47:12 CEST 2018
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 17 Apr 2018 18:46:14 +0900
+Subject: vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+
+[ Upstream commit 7ce2367254e84753bceb07327aaf5c953cfce117 ]
+
+Syzkaller spotted an old bug which leads to reading skb beyond tail by 4
+bytes on vlan tagged packets.
+This is caused because skb_vlan_tagged_multi() did not check
+skb_headlen.
+
+BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline]
+BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
+BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline]
+BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline]
+BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
+CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+  __dump_stack lib/dump_stack.c:17 [inline]
+  dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+  kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+  __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+  eth_type_vlan include/linux/if_vlan.h:283 [inline]
+  skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
+  vlan_features_check include/linux/if_vlan.h:672 [inline]
+  dflt_features_check net/core/dev.c:2949 [inline]
+  netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
+  validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084
+  __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549
+  dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
+  packet_snd net/packet/af_packet.c:2944 [inline]
+  packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969
+  sock_sendmsg_nosec net/socket.c:630 [inline]
+  sock_sendmsg net/socket.c:640 [inline]
+  sock_write_iter+0x3b9/0x470 net/socket.c:909
+  do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+  do_iter_write+0x30d/0xd40 fs/read_write.c:932
+  vfs_writev fs/read_write.c:977 [inline]
+  do_writev+0x3c9/0x830 fs/read_write.c:1012
+  SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+  SyS_writev+0x56/0x80 fs/read_write.c:1082
+  do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43ffa9
+RSP: 002b:00007fff2cff3948 EFLAGS: 00000217 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
+RDX: 0000000000000001 RSI: 0000000020000080 RDI: 0000000000000003
+RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0
+R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+  kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+  kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+  kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+  kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+  slab_post_alloc_hook mm/slab.h:445 [inline]
+  slab_alloc_node mm/slub.c:2737 [inline]
+  __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+  __kmalloc_reserve net/core/skbuff.c:138 [inline]
+  __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+  alloc_skb include/linux/skbuff.h:984 [inline]
+  alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
+  sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
+  packet_alloc_skb net/packet/af_packet.c:2803 [inline]
+  packet_snd net/packet/af_packet.c:2894 [inline]
+  packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969
+  sock_sendmsg_nosec net/socket.c:630 [inline]
+  sock_sendmsg net/socket.c:640 [inline]
+  sock_write_iter+0x3b9/0x470 net/socket.c:909
+  do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+  do_iter_write+0x30d/0xd40 fs/read_write.c:932
+  vfs_writev fs/read_write.c:977 [inline]
+  do_writev+0x3c9/0x830 fs/read_write.c:1012
+  SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+  SyS_writev+0x56/0x80 fs/read_write.c:1082
+  do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 58e998c6d239 ("offloading: Force software GSO for multiple vlan tags.")
+Reported-and-tested-by: syzbot+0bbe42c764feafa82c5a@syzkaller.appspotmail.com
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_vlan.h |    7 +++++--
+ net/core/dev.c          |    2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -584,7 +584,7 @@ static inline bool skb_vlan_tagged(const
+  * Returns true if the skb is tagged with multiple vlan headers, regardless
+  * of whether it is hardware accelerated or not.
+  */
+-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
++static inline bool skb_vlan_tagged_multi(struct sk_buff *skb)
+ {
+       __be16 protocol = skb->protocol;
+ 
+@@ -594,6 +594,9 @@ static inline bool skb_vlan_tagged_multi
+               if (likely(!eth_type_vlan(protocol)))
+                       return false;
+ 
++              if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN)))
++                      return false;
++
+               veh = (struct vlan_ethhdr *)skb->data;
+               protocol = veh->h_vlan_encapsulated_proto;
+       }
+@@ -611,7 +614,7 @@ static inline bool skb_vlan_tagged_multi
+  *
+  * Returns features without unsafe ones if the skb has multiple tags.
+  */
+-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb,
++static inline netdev_features_t vlan_features_check(struct sk_buff *skb,
+                                                   netdev_features_t features)
+ {
+       if (skb_vlan_tagged_multi(skb)) {
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2903,7 +2903,7 @@ netdev_features_t passthru_features_chec
+ }
+ EXPORT_SYMBOL(passthru_features_check);
+ 
+-static netdev_features_t dflt_features_check(const struct sk_buff *skb,
++static netdev_features_t dflt_features_check(struct sk_buff *skb,
+                                            struct net_device *dev,
+                                            netdev_features_t features)
+ {