From b1f4ff6fe4f4bc5e1bf1636cc6ae71ea758ecfe0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 2 Sep 2022 09:48:12 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	net-af_packet-check-len-when-min_header_len-equals-to-0.patch
---
 ...-len-when-min_header_len-equals-to-0.patch | 35 +++++++++++++++++++
 queue-5.4/series                              |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 queue-5.4/net-af_packet-check-len-when-min_header_len-equals-to-0.patch

diff --git a/queue-5.4/net-af_packet-check-len-when-min_header_len-equals-to-0.patch b/queue-5.4/net-af_packet-check-len-when-min_header_len-equals-to-0.patch
new file mode 100644
index 00000000000..66b053b99ac
--- /dev/null
+++ b/queue-5.4/net-af_packet-check-len-when-min_header_len-equals-to-0.patch
@@ -0,0 +1,35 @@
+From dc633700f00f726e027846a318c5ffeb8deaaeda Mon Sep 17 00:00:00 2001
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+Date: Wed, 27 Jul 2022 17:33:12 +0800
+Subject: net/af_packet: check len when min_header_len equals to 0
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+commit dc633700f00f726e027846a318c5ffeb8deaaeda upstream.
+
+User can use AF_PACKET socket to send packets with the length of 0.
+When min_header_len equals to 0, packet_snd will call __dev_queue_xmit
+to send packets, and sock->type can be any type.
+
+Reported-by: syzbot+5ea725c25d06fb9114c4@syzkaller.appspotmail.com
+Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2960,8 +2960,8 @@ static int packet_snd(struct socket *soc
+ 	if (err)
+ 		goto out_free;
+ 
+-	if (sock->type == SOCK_RAW &&
+-	    !dev_validate_header(dev, skb->data, len)) {
++	if ((sock->type == SOCK_RAW &&
++	     !dev_validate_header(dev, skb->data, len)) || !skb->len) {
+ 		err = -EINVAL;
+ 		goto out_free;
+ 	}
diff --git a/queue-5.4/series b/queue-5.4/series
index 508f8c03554..d0112eb85ef 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -73,3 +73,4 @@ lib-vdso-let-do_coarse-return-0-to-simplify-the-call.patch
 lib-vdso-mark-do_hres-and-do_coarse-as-__always_inli.patch
 kprobes-don-t-call-disarm_kprobe-for-disabled-kprobes.patch
 io_uring-disable-polling-pollfree-files.patch
+net-af_packet-check-len-when-min_header_len-equals-to-0.patch
-- 
2.47.3