--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 12 Oct 2018 18:58:53 -0700
+Subject: ipv6: mcast: fix a use-after-free in inet6_mc_check
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dc012f3628eaecfb5ba68404a5c30ef501daf63d ]
+
+syzbot found a use-after-free in inet6_mc_check [1]
+
+The problem here is that inet6_mc_check() uses rcu
+and read_lock(&iml->sflock)
+
+So the fact that ip6_mc_leave_src() is called under RTNL
+and the socket lock does not help us, we need to acquire
+iml->sflock in write mode.
+
+In the future, we should convert all this stuff to RCU.
+
+[1]
+BUG: KASAN: use-after-free in ipv6_addr_equal include/net/ipv6.h:521 [inline]
+BUG: KASAN: use-after-free in inet6_mc_check+0xae7/0xb40 net/ipv6/mcast.c:649
+Read of size 8 at addr ffff8801ce7f2510 by task syz-executor0/22432
+
+CPU: 1 PID: 22432 Comm: syz-executor0 Not tainted 4.19.0-rc7+ #280
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
+ print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
+ ipv6_addr_equal include/net/ipv6.h:521 [inline]
+ inet6_mc_check+0xae7/0xb40 net/ipv6/mcast.c:649
+ __raw_v6_lookup+0x320/0x3f0 net/ipv6/raw.c:98
+ ipv6_raw_deliver net/ipv6/raw.c:183 [inline]
+ raw6_local_deliver+0x3d3/0xcb0 net/ipv6/raw.c:240
+ ip6_input_finish+0x467/0x1aa0 net/ipv6/ip6_input.c:345
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:426
+ ip6_mc_input+0x48a/0xd20 net/ipv6/ip6_input.c:503
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ ipv6_rcv+0x120/0x640 net/ipv6/ip6_input.c:271
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ netif_receive_skb_internal+0x12c/0x620 net/core/dev.c:5126
+ napi_frags_finish net/core/dev.c:5664 [inline]
+ napi_gro_frags+0x75a/0xc90 net/core/dev.c:5737
+ tun_get_user+0x3189/0x4250 drivers/net/tun.c:1923
+ tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1968
+ call_write_iter include/linux/fs.h:1808 [inline]
+ do_iter_readv_writev+0x8b0/0xa80 fs/read_write.c:680
+ do_iter_write+0x185/0x5f0 fs/read_write.c:959
+ vfs_writev+0x1f1/0x360 fs/read_write.c:1004
+ do_writev+0x11a/0x310 fs/read_write.c:1039
+ __do_sys_writev fs/read_write.c:1112 [inline]
+ __se_sys_writev fs/read_write.c:1109 [inline]
+ __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x457421
+Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 b5 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
+RSP: 002b:00007f2d30ecaba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000457421
+RDX: 0000000000000001 RSI: 00007f2d30ecabf0 RDI: 00000000000000f0
+RBP: 0000000020000500 R08: 00000000000000f0 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000293 R12: 00007f2d30ecb6d4
+R13: 00000000004c4890 R14: 00000000004d7b90 R15: 00000000ffffffff
+
+Allocated by task 22437:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
+ __do_kmalloc mm/slab.c:3718 [inline]
+ __kmalloc+0x14e/0x760 mm/slab.c:3727
+ kmalloc include/linux/slab.h:518 [inline]
+ sock_kmalloc+0x15a/0x1f0 net/core/sock.c:1983
+ ip6_mc_source+0x14dd/0x1960 net/ipv6/mcast.c:427
+ do_ipv6_setsockopt.isra.9+0x3afb/0x45d0 net/ipv6/ipv6_sockglue.c:743
+ ipv6_setsockopt+0xbd/0x170 net/ipv6/ipv6_sockglue.c:933
+ rawv6_setsockopt+0x59/0x140 net/ipv6/raw.c:1069
+ sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3038
+ __sys_setsockopt+0x1ba/0x3c0 net/socket.c:1902
+ __do_sys_setsockopt net/socket.c:1913 [inline]
+ __se_sys_setsockopt net/socket.c:1910 [inline]
+ __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1910
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 22430:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kfree+0xcf/0x230 mm/slab.c:3813
+ __sock_kfree_s net/core/sock.c:2004 [inline]
+ sock_kfree_s+0x29/0x60 net/core/sock.c:2010
+ ip6_mc_leave_src+0x11a/0x1d0 net/ipv6/mcast.c:2448
+ __ipv6_sock_mc_close+0x20b/0x4e0 net/ipv6/mcast.c:310
+ ipv6_sock_mc_close+0x158/0x1d0 net/ipv6/mcast.c:328
+ inet6_release+0x40/0x70 net/ipv6/af_inet6.c:452
+ __sock_release+0xd7/0x250 net/socket.c:579
+ sock_close+0x19/0x20 net/socket.c:1141
+ __fput+0x385/0xa30 fs/file_table.c:278
+ ____fput+0x15/0x20 fs/file_table.c:309
+ task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
+ tracehook_notify_resume include/linux/tracehook.h:193 [inline]
+ exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
+ prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
+ do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8801ce7f2500
+ which belongs to the cache kmalloc-192 of size 192
+The buggy address is located 16 bytes inside of
+ 192-byte region [ffff8801ce7f2500, ffff8801ce7f25c0)
+The buggy address belongs to the page:
+page:ffffea000739fc80 count:1 mapcount:0 mapping:ffff8801da800040 index:0x0
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffffea0006f6e548 ffffea000737b948 ffff8801da800040
+raw: 0000000000000000 ffff8801ce7f2000 0000000100000010 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801ce7f2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8801ce7f2480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+>ffff8801ce7f2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8801ce7f2580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8801ce7f2600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/mcast.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -2391,17 +2391,17 @@ static int ip6_mc_leave_src(struct sock
+ {
+ int err;
+
+- /* callers have the socket lock and rtnl lock
+- * so no other readers or writers of iml or its sflist
+- */
++ write_lock_bh(&iml->sflock);
+ if (!iml->sflist) {
+ /* any-source empty exclude case */
+- return ip6_mc_del_src(idev, &iml->addr, iml->sfmode, 0, NULL, 0);
++ err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode, 0, NULL, 0);
++ } else {
++ err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode,
++ iml->sflist->sl_count, iml->sflist->sl_addr, 0);
++ sock_kfree_s(sk, iml->sflist, IP6_SFLSIZE(iml->sflist->sl_max));
++ iml->sflist = NULL;
+ }
+- err = ip6_mc_del_src(idev, &iml->addr, iml->sfmode,
+- iml->sflist->sl_count, iml->sflist->sl_addr, 0);
+- sock_kfree_s(sk, iml->sflist, IP6_SFLSIZE(iml->sflist->sl_max));
+- iml->sflist = NULL;
++ write_unlock_bh(&iml->sflock);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Wed, 24 Oct 2018 14:37:21 +0200
+Subject: ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit ee1abcf689353f36d9322231b4320926096bdee0 ]
+
+Commit a61bbcf28a8c ("[NET]: Store skb->timestamp as offset to a base
+timestamp") introduces a neighbour control buffer and zeroes it out in
+ndisc_rcv(), as ndisc_recv_ns() uses it.
+
+Commit f2776ff04722 ("[IPV6]: Fix address/interface handling in UDP and
+DCCP, according to the scoping architecture.") introduces the usage of the
+IPv6 control buffer in protocol error handlers (e.g. inet6_iif() in
+present-day __udp6_lib_err()).
+
+Now, with commit b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate
+redirect, instead of rt6_redirect()."), we call protocol error handlers
+from ndisc_redirect_rcv(), after the control buffer is already stolen and
+some parts are already zeroed out. This implies that inet6_iif() on this
+path will always return zero.
+
+This gives unexpected results on UDP socket lookup in __udp6_lib_err(), as
+we might actually need to match sockets for a given interface.
+
+Instead of always claiming the control buffer in ndisc_rcv(), do that only
+when needed.
+
+Fixes: b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate redirect, instead of rt6_redirect().")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ndisc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1610,10 +1610,9 @@ int ndisc_rcv(struct sk_buff *skb)
+ return 0;
+ }
+
+- memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
+-
+ switch (msg->icmph.icmp6_type) {
+ case NDISC_NEIGHBOUR_SOLICITATION:
++ memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
+ ndisc_recv_ns(skb);
+ break;
+
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 11 Oct 2018 11:15:13 -0700
+Subject: llc: set SOCK_RCU_FREE in llc_sap_add_socket()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 5a8e7aea953bdb6d4da13aff6f1e7f9c62023499 ]
+
+WHen an llc sock is added into the sk_laddr_hash of an llc_sap,
+it is not marked with SOCK_RCU_FREE.
+
+This causes that the sock could be freed while it is still being
+read by __llc_lookup_established() with RCU read lock. sock is
+refcounted, but with RCU read lock, nothing prevents the readers
+getting a zero refcnt.
+
+Fix it by setting SOCK_RCU_FREE in llc_sap_add_socket().
+
+Reported-by: syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/llc_conn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -734,6 +734,7 @@ void llc_sap_add_socket(struct llc_sap *
+ llc_sk(sk)->sap = sap;
+
+ spin_lock_bh(&sap->sk_lock);
++ sock_set_flag(sk, SOCK_RCU_FREE);
+ sap->sk_count++;
+ sk_nulls_add_node_rcu(sk, laddr_hb);
+ hlist_add_head(&llc->dev_hash_node, dev_hb);
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 1 Nov 2018 12:02:37 -0700
+Subject: net: drop skb on failure in ip_check_defrag()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 7de414a9dd91426318df7b63da024b2b07e53df5 ]
+
+Most callers of pskb_trim_rcsum() simply drop the skb when
+it fails, however, ip_check_defrag() still continues to pass
+the skb up to stack. This is suspicious.
+
+In ip_check_defrag(), after we learn the skb is an IP fragment,
+passing the skb to callers makes no sense, because callers expect
+fragments are defrag'ed on success. So, dropping the skb when we
+can't defrag it is reasonable.
+
+Note, prior to commit 88078d98d1bb, this is not a big problem as
+checksum will be fixed up anyway. After it, the checksum is not
+correct on failure.
+
+Found this during code review.
+
+Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends")
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_fragment.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -684,10 +684,14 @@ struct sk_buff *ip_check_defrag(struct s
+ if (ip_is_fragment(&iph)) {
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (skb) {
+- if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
+- return skb;
+- if (pskb_trim_rcsum(skb, netoff + len))
+- return skb;
++ if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) {
++ kfree_skb(skb);
++ return NULL;
++ }
++ if (pskb_trim_rcsum(skb, netoff + len)) {
++ kfree_skb(skb);
++ return NULL;
++ }
+ memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
+ if (ip_defrag(skb, user))
+ return NULL;
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Fri, 19 Oct 2018 10:00:19 -0700
+Subject: net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 4ba4c566ba8448a05e6257e0b98a21f1a0d55315 ]
+
+The loop wants to skip previously dumped addresses, so loops until
+current index >= saved index. If the message fills it wants to save
+the index for the next address to dump - ie., the one that did not
+fit in the current message.
+
+Currently, it is incrementing the index counter before comparing to the
+saved index, and then the saved index is off by 1 - it assumes the
+current address is going to fit in the message.
+
+Change the index handling to increment only after a succesful dump.
+
+Fixes: 502a2ffd7376a ("ipv6: convert idev_list to list macros")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -4098,8 +4098,8 @@ static int in6_dump_addrs(struct inet6_d
+
+ /* unicast address incl. temp addr */
+ list_for_each_entry(ifa, &idev->addr_list, if_list) {
+- if (++ip_idx < s_ip_idx)
+- continue;
++ if (ip_idx < s_ip_idx)
++ goto next;
+ err = inet6_fill_ifaddr(skb, ifa,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
+@@ -4108,6 +4108,8 @@ static int in6_dump_addrs(struct inet6_d
+ if (err <= 0)
+ break;
+ nl_dump_check_consistent(cb, nlmsg_hdr(skb));
++next:
++ ip_idx++;
+ }
+ break;
+ }
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Fri, 26 Oct 2018 15:51:06 -0700
+Subject: net: sched: gred: pass the right attribute to gred_change_table_def()
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 38b4f18d56372e1e21771ab7b0357b853330186c ]
+
+gred_change_table_def() takes a pointer to TCA_GRED_DPS attribute,
+and expects it will be able to interpret its contents as
+struct tc_gred_sopt. Pass the correct gred attribute, instead of
+TCA_OPTIONS.
+
+This bug meant the table definition could never be changed after
+Qdisc was initialized (unless whatever TCA_OPTIONS contained both
+passed netlink validation and was a valid struct tc_gred_sopt...).
+
+Old behaviour:
+$ ip link add type dummy
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+RTNETLINK answers: Invalid argument
+
+Now:
+$ ip link add type dummy
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+
+Fixes: f62d6b936df5 ("[PKT_SCHED]: GRED: Use central VQ change procedure")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_gred.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_gred.c
++++ b/net/sched/sch_gred.c
+@@ -437,7 +437,7 @@ static int gred_change(struct Qdisc *sch
+ return err;
+
+ if (tb[TCA_GRED_PARMS] == NULL && tb[TCA_GRED_STAB] == NULL)
+- return gred_change_table_def(sch, opt);
++ return gred_change_table_def(sch, tb[TCA_GRED_DPS]);
+
+ if (tb[TCA_GRED_PARMS] == NULL ||
+ tb[TCA_GRED_STAB] == NULL)
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Thu, 18 Oct 2018 09:36:46 -0500
+Subject: net: socket: fix a missing-check bug
+
+From: Wenwen Wang <wang6495@umn.edu>
+
+[ Upstream commit b6168562c8ce2bd5a30e213021650422e08764dc ]
+
+In ethtool_ioctl(), the ioctl command 'ethcmd' is checked through a switch
+statement to see whether it is necessary to pre-process the ethtool
+structure, because, as mentioned in the comment, the structure
+ethtool_rxnfc is defined with padding. If yes, a user-space buffer 'rxnfc'
+is allocated through compat_alloc_user_space(). One thing to note here is
+that, if 'ethcmd' is ETHTOOL_GRXCLSRLALL, the size of the buffer 'rxnfc' is
+partially determined by 'rule_cnt', which is actually acquired from the
+user-space buffer 'compat_rxnfc', i.e., 'compat_rxnfc->rule_cnt', through
+get_user(). After 'rxnfc' is allocated, the data in the original user-space
+buffer 'compat_rxnfc' is then copied to 'rxnfc' through copy_in_user(),
+including the 'rule_cnt' field. However, after this copy, no check is
+re-enforced on 'rxnfc->rule_cnt'. So it is possible that a malicious user
+race to change the value in the 'compat_rxnfc->rule_cnt' between these two
+copies. Through this way, the attacker can bypass the previous check on
+'rule_cnt' and inject malicious data. This can cause undefined behavior of
+the kernel and introduce potential security risk.
+
+This patch avoids the above issue via copying the value acquired by
+get_user() to 'rxnfc->rule_cn', if 'ethcmd' is ETHTOOL_GRXCLSRLALL.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2918,9 +2918,14 @@ static int ethtool_ioctl(struct net *net
+ copy_in_user(&rxnfc->fs.ring_cookie,
+ &compat_rxnfc->fs.ring_cookie,
+ (void __user *)(&rxnfc->fs.location + 1) -
+- (void __user *)&rxnfc->fs.ring_cookie) ||
+- copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
+- sizeof(rxnfc->rule_cnt)))
++ (void __user *)&rxnfc->fs.ring_cookie))
++ return -EFAULT;
++ if (ethcmd == ETHTOOL_GRXCLSRLALL) {
++ if (put_user(rule_cnt, &rxnfc->rule_cnt))
++ return -EFAULT;
++ } else if (copy_in_user(&rxnfc->rule_cnt,
++ &compat_rxnfc->rule_cnt,
++ sizeof(rxnfc->rule_cnt)))
+ return -EFAULT;
+ }
+
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Niklas Cassel <niklas.cassel@linaro.org>
+Date: Wed, 31 Oct 2018 16:08:10 +0100
+Subject: net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules
+
+From: Niklas Cassel <niklas.cassel@linaro.org>
+
+[ Upstream commit 30549aab146ccb1275230c3b4b4bc6b4181fd54e ]
+
+When building stmmac, it is only possible to select CONFIG_DWMAC_GENERIC,
+or any of the glue drivers, when CONFIG_STMMAC_PLATFORM is set.
+The only exception is CONFIG_STMMAC_PCI.
+
+When calling of_mdiobus_register(), it will call our ->reset()
+callback, which is set to stmmac_mdio_reset().
+
+Most of the code in stmmac_mdio_reset() is protected by a
+"#if defined(CONFIG_STMMAC_PLATFORM)", which will evaluate
+to false when CONFIG_STMMAC_PLATFORM=m.
+
+Because of this, the phy reset gpio will only be pulled when
+stmmac is built as built-in, but not when built as modules.
+
+Fix this by using "#if IS_ENABLED()" instead of "#if defined()".
+
+Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+@@ -130,7 +130,7 @@ static int stmmac_mdio_write(struct mii_
+ */
+ int stmmac_mdio_reset(struct mii_bus *bus)
+ {
+-#if defined(CONFIG_STMMAC_PLATFORM)
++#if IS_ENABLED(CONFIG_STMMAC_PLATFORM)
+ struct net_device *ndev = bus->priv;
+ struct stmmac_priv *priv = netdev_priv(ndev);
+ unsigned int mii_address = priv->hw->mii.addr;
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 18 Oct 2018 19:56:01 +0200
+Subject: r8169: fix NAPI handling under high load
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 6b839b6cf9eada30b086effb51e5d6076bafc761 ]
+
+rtl_rx() and rtl_tx() are called only if the respective bits are set
+in the interrupt status register. Under high load NAPI may not be
+able to process all data (work_done == budget) and it will schedule
+subsequent calls to the poll callback.
+rtl_ack_events() however resets the bits in the interrupt status
+register, therefore subsequent calls to rtl8169_poll() won't call
+rtl_rx() and rtl_tx() - chip interrupts are still disabled.
+
+Fix this by calling rtl_rx() and rtl_tx() independent of the bits
+set in the interrupt status register. Both functions will detect
+if there's nothing to do for them.
+
+Fixes: da78dbff2e05 ("r8169: remove work from irq handler.")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -7445,17 +7445,15 @@ static int rtl8169_poll(struct napi_stru
+ struct rtl8169_private *tp = container_of(napi, struct rtl8169_private, napi);
+ struct net_device *dev = tp->dev;
+ u16 enable_mask = RTL_EVENT_NAPI | tp->event_slow;
+- int work_done= 0;
++ int work_done;
+ u16 status;
+
+ status = rtl_get_events(tp);
+ rtl_ack_events(tp, status & ~tp->event_slow);
+
+- if (status & RTL_EVENT_NAPI_RX)
+- work_done = rtl_rx(dev, tp, (u32) budget);
++ work_done = rtl_rx(dev, tp, (u32) budget);
+
+- if (status & RTL_EVENT_NAPI_TX)
+- rtl_tx(dev, tp);
++ rtl_tx(dev, tp);
+
+ if (status & tp->event_slow) {
+ enable_mask &= ~tp->event_slow;
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 29 Oct 2018 20:36:43 +0000
+Subject: rtnetlink: Disallow FDB configuration for non-Ethernet device
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit da71577545a52be3e0e9225a946e5fd79cfab015 ]
+
+When an FDB entry is configured, the address is validated to have the
+length of an Ethernet address, but the device for which the address is
+configured can be of any type.
+
+The above can result in the use of uninitialized memory when the address
+is later compared against existing addresses since 'dev->addr_len' is
+used and it may be greater than ETH_ALEN, as with ip6tnl devices.
+
+Fix this by making sure that FDB entries are only configured for
+Ethernet devices.
+
+BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863
+CPU: 1 PID: 4318 Comm: syz-executor998 Not tainted 4.19.0-rc3+ #49
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x14b/0x190 lib/dump_stack.c:113
+ kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:956
+ __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:645
+ memcmp+0x11d/0x180 lib/string.c:863
+ dev_uc_add_excl+0x165/0x7b0 net/core/dev_addr_lists.c:464
+ ndo_dflt_fdb_add net/core/rtnetlink.c:3463 [inline]
+ rtnl_fdb_add+0x1081/0x1270 net/core/rtnetlink.c:3558
+ rtnetlink_rcv_msg+0xa0b/0x1530 net/core/rtnetlink.c:4715
+ netlink_rcv_skb+0x36e/0x5f0 net/netlink/af_netlink.c:2454
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4733
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x1638/0x1720 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x1205/0x1290 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg net/socket.c:631 [inline]
+ ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114
+ __sys_sendmsg net/socket.c:2152 [inline]
+ __do_sys_sendmsg net/socket.c:2161 [inline]
+ __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159
+ do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x440ee9
+Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
+48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fff6a93b518 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ee9
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 000000000000b4b0
+R13: 0000000000401ec0 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:181
+ kmsan_kmalloc+0x98/0x100 mm/kmsan/kmsan_hooks.c:91
+ kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100
+ slab_post_alloc_hook mm/slab.h:446 [inline]
+ slab_alloc_node mm/slub.c:2718 [inline]
+ __kmalloc_node_track_caller+0x9e7/0x1160 mm/slub.c:4351
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2f5/0x9e0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:996 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
+ netlink_sendmsg+0xb49/0x1290 net/netlink/af_netlink.c:1883
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg net/socket.c:631 [inline]
+ ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114
+ __sys_sendmsg net/socket.c:2152 [inline]
+ __do_sys_sendmsg net/socket.c:2161 [inline]
+ __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159
+ do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+
+v2:
+* Make error message more specific (David)
+
+Fixes: 090096bf3db1 ("net: generic fdb support for drivers without ndo_fdb_<op>")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-and-tested-by: syzbot+3a288d5f5530b901310e@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+d53ab4e92a1db04110ff@syzkaller.appspotmail.com
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: David Ahern <dsahern@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2409,6 +2409,11 @@ static int rtnl_fdb_add(struct sk_buff *
+ return -EINVAL;
+ }
+
++ if (dev->type != ARPHRD_ETHER) {
++ pr_info("PF_BRIDGE: FDB add only supported for Ethernet devices");
++ return -EINVAL;
++ }
++
+ addr = nla_data(tb[NDA_LLADDR]);
+
+ err = -EOPNOTSUPP;
+@@ -2504,6 +2509,11 @@ static int rtnl_fdb_del(struct sk_buff *
+ return -EINVAL;
+ }
+
++ if (dev->type != ARPHRD_ETHER) {
++ pr_info("PF_BRIDGE: FDB delete only supported for Ethernet devices");
++ return -EINVAL;
++ }
++
+ addr = nla_data(tb[NDA_LLADDR]);
+
+ err = -EOPNOTSUPP;
--- /dev/null
+From foo@baz Thu Nov 8 07:52:16 PST 2018
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Tue, 16 Oct 2018 15:18:17 -0300
+Subject: sctp: fix race on sctp_id2asoc
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit b336decab22158937975293aea79396525f92bb3 ]
+
+syzbot reported an use-after-free involving sctp_id2asoc. Dmitry Vyukov
+helped to root cause it and it is because of reading the asoc after it
+was freed:
+
+ CPU 1 CPU 2
+(working on socket 1) (working on socket 2)
+ sctp_association_destroy
+sctp_id2asoc
+ spin lock
+ grab the asoc from idr
+ spin unlock
+ spin lock
+ remove asoc from idr
+ spin unlock
+ free(asoc)
+ if asoc->base.sk != sk ... [*]
+
+This can only be hit if trying to fetch asocs from different sockets. As
+we have a single IDR for all asocs, in all SCTP sockets, their id is
+unique on the system. An application can try to send stuff on an id
+that matches on another socket, and the if in [*] will protect from such
+usage. But it didn't consider that as that asoc may belong to another
+socket, it may be freed in parallel (read: under another socket lock).
+
+We fix it by moving the checks in [*] into the protected region. This
+fixes it because the asoc cannot be freed while the lock is held.
+
+Reported-by: syzbot+c7dd55d7aec49d48e49a@syzkaller.appspotmail.com
+Acked-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -253,11 +253,10 @@ struct sctp_association *sctp_id2assoc(s
+
+ spin_lock_bh(&sctp_assocs_id_lock);
+ asoc = (struct sctp_association *)idr_find(&sctp_assocs_id, (int)id);
++ if (asoc && (asoc->base.sk != sk || asoc->base.dead))
++ asoc = NULL;
+ spin_unlock_bh(&sctp_assocs_id_lock);
+
+- if (!asoc || (asoc->base.sk != sk) || asoc->base.dead)
+- return NULL;
+-
+ return asoc;
+ }
+
perf-tools-disable-parallelism-for-make-clean.patch
proc-iomem-only-expose-physical-resource-addresses-to-privileged-users.patch
mremap-properly-flush-tlb-before-releasing-the-page.patch
+ipv6-mcast-fix-a-use-after-free-in-inet6_mc_check.patch
+ipv6-ndisc-preserve-ipv6-control-buffer-if-protocol-error-handlers-are-called.patch
+llc-set-sock_rcu_free-in-llc_sap_add_socket.patch
+net-ipv6-fix-index-counter-for-unicast-addresses-in-in6_dump_addrs.patch
+net-socket-fix-a-missing-check-bug.patch
+net-stmmac-fix-stmmac_mdio_reset-when-building-stmmac-as-modules.patch
+r8169-fix-napi-handling-under-high-load.patch
+sctp-fix-race-on-sctp_id2asoc.patch
+net-drop-skb-on-failure-in-ip_check_defrag.patch
+rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch
+net-sched-gred-pass-the-right-attribute-to-gred_change_table_def.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
