--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Sat, 30 May 2020 11:34:33 +0800
+Subject: devinet: fix memleak in inetdev_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1b49cd71b52403822731dc9f283185d1da355f97 ]
+
+When devinet_sysctl_register() failed, the memory allocated
+in neigh_parms_alloc() should be freed.
+
+Fixes: 20e61da7ffcf ("ipv4: fail early when creating netdev named all or default")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/devinet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -276,6 +276,7 @@ static struct in_device *inetdev_init(st
+ err = devinet_sysctl_register(in_dev);
+ if (err) {
+ in_dev->dead = 1;
++ neigh_parms_release(&arp_tbl, in_dev->arp_parms);
+ in_dev_put(in_dev);
+ in_dev = NULL;
+ goto out;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 29 May 2020 11:32:25 -0700
+Subject: l2tp: add sk_family checks to l2tp_validate_socket
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d9a81a225277686eb629938986d97629ea102633 ]
+
+syzbot was able to trigger a crash after using an ISDN socket
+and fool l2tp.
+
+Fix this by making sure the UDP socket is of the proper family.
+
+BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
+Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018
+
+CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
+ __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
+ kasan_report+0x33/0x50 mm/kasan/common.c:625
+ setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
+ l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523
+ l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:718 [inline]
+ genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735
+ netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:746
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2406
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+RIP: 0033:0x45ca29
+Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
+RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4
+
+Allocated by task 3018:
+ save_stack+0x1b/0x40 mm/kasan/common.c:49
+ set_track mm/kasan/common.c:57 [inline]
+ __kasan_kmalloc mm/kasan/common.c:495 [inline]
+ __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
+ __do_kmalloc mm/slab.c:3656 [inline]
+ __kmalloc+0x161/0x7a0 mm/slab.c:3665
+ kmalloc include/linux/slab.h:560 [inline]
+ sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612
+ sk_alloc+0x36/0x1100 net/core/sock.c:1666
+ data_sock_create drivers/isdn/mISDN/socket.c:600 [inline]
+ mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796
+ __sock_create+0x3cb/0x730 net/socket.c:1428
+ sock_create net/socket.c:1479 [inline]
+ __sys_socket+0xef/0x200 net/socket.c:1521
+ __do_sys_socket net/socket.c:1530 [inline]
+ __se_sys_socket net/socket.c:1528 [inline]
+ __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+Freed by task 2484:
+ save_stack+0x1b/0x40 mm/kasan/common.c:49
+ set_track mm/kasan/common.c:57 [inline]
+ kasan_set_free_info mm/kasan/common.c:317 [inline]
+ __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
+ __cache_free mm/slab.c:3426 [inline]
+ kfree+0x109/0x2b0 mm/slab.c:3757
+ kvfree+0x42/0x50 mm/util.c:603
+ __free_fdtable+0x2d/0x70 fs/file.c:31
+ put_files_struct fs/file.c:420 [inline]
+ put_files_struct+0x248/0x2e0 fs/file.c:413
+ exit_files+0x7e/0xa0 fs/file.c:445
+ do_exit+0xb04/0x2dd0 kernel/exit.c:791
+ do_group_exit+0x125/0x340 kernel/exit.c:894
+ get_signal+0x47b/0x24e0 kernel/signal.c:2739
+ do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784
+ exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161
+ prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
+ do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+The buggy address belongs to the object at ffff88808ed0c000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 1424 bytes inside of
+ 2048-byte region [ffff88808ed0c000, ffff88808ed0c800)
+The buggy address belongs to the page:
+page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0xfffe0000000200(slab)
+raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00
+raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation")
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Cc: Guillaume Nault <gnault@redhat.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1460,6 +1460,9 @@ static int l2tp_validate_socket(const st
+ if (sk->sk_type != SOCK_DGRAM)
+ return -EPROTONOSUPPORT;
+
++ if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
++ return -EPROTONOSUPPORT;
++
+ if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) ||
+ (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP))
+ return -EPROTONOSUPPORT;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 29 May 2020 11:20:53 -0700
+Subject: l2tp: do not use inet_hash()/inet_unhash()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 02c71b144c811bcdd865e0a1226d0407d11357e8 ]
+
+syzbot recently found a way to crash the kernel [1]
+
+Issue here is that inet_hash() & inet_unhash() are currently
+only meant to be used by TCP & DCCP, since only these protocols
+provide the needed hashinfo pointer.
+
+L2TP uses a single list (instead of a hash table)
+
+This old bug became an issue after commit 610236587600
+("bpf: Add new cgroup attach type to enable sock modifications")
+since after this commit, sk_common_release() can be called
+while the L2TP socket is still considered 'hashed'.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
+Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
+RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
+RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
+RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
+R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
+R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
+FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ sk_common_release+0xba/0x370 net/core/sock.c:3210
+ inet_create net/ipv4/af_inet.c:390 [inline]
+ inet_create+0x966/0xe00 net/ipv4/af_inet.c:248
+ __sock_create+0x3cb/0x730 net/socket.c:1428
+ sock_create net/socket.c:1479 [inline]
+ __sys_socket+0xef/0x200 net/socket.c:1521
+ __do_sys_socket net/socket.c:1530 [inline]
+ __se_sys_socket net/socket.c:1528 [inline]
+ __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+RIP: 0033:0x441e29
+Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29
+RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000
+Modules linked in:
+---[ end trace 23b6578228ce553e ]---
+RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
+Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
+RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
+RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
+RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
+R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
+R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
+FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip.c | 29 ++++++++++++++++++++++-------
+ net/l2tp/l2tp_ip6.c | 30 ++++++++++++++++++++++--------
+ 2 files changed, 44 insertions(+), 15 deletions(-)
+
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -20,7 +20,6 @@
+ #include <net/icmp.h>
+ #include <net/udp.h>
+ #include <net/inet_common.h>
+-#include <net/inet_hashtables.h>
+ #include <net/tcp_states.h>
+ #include <net/protocol.h>
+ #include <net/xfrm.h>
+@@ -209,15 +208,31 @@ discard:
+ return 0;
+ }
+
+-static int l2tp_ip_open(struct sock *sk)
++static int l2tp_ip_hash(struct sock *sk)
+ {
+- /* Prevent autobind. We don't have ports. */
+- inet_sk(sk)->inet_num = IPPROTO_L2TP;
++ if (sk_unhashed(sk)) {
++ write_lock_bh(&l2tp_ip_lock);
++ sk_add_node(sk, &l2tp_ip_table);
++ write_unlock_bh(&l2tp_ip_lock);
++ }
++ return 0;
++}
+
++static void l2tp_ip_unhash(struct sock *sk)
++{
++ if (sk_unhashed(sk))
++ return;
+ write_lock_bh(&l2tp_ip_lock);
+- sk_add_node(sk, &l2tp_ip_table);
++ sk_del_node_init(sk);
+ write_unlock_bh(&l2tp_ip_lock);
++}
++
++static int l2tp_ip_open(struct sock *sk)
++{
++ /* Prevent autobind. We don't have ports. */
++ inet_sk(sk)->inet_num = IPPROTO_L2TP;
+
++ l2tp_ip_hash(sk);
+ return 0;
+ }
+
+@@ -594,8 +609,8 @@ static struct proto l2tp_ip_prot = {
+ .sendmsg = l2tp_ip_sendmsg,
+ .recvmsg = l2tp_ip_recvmsg,
+ .backlog_rcv = l2tp_ip_backlog_recv,
+- .hash = inet_hash,
+- .unhash = inet_unhash,
++ .hash = l2tp_ip_hash,
++ .unhash = l2tp_ip_unhash,
+ .obj_size = sizeof(struct l2tp_ip_sock),
+ #ifdef CONFIG_COMPAT
+ .compat_setsockopt = compat_ip_setsockopt,
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -20,8 +20,6 @@
+ #include <net/icmp.h>
+ #include <net/udp.h>
+ #include <net/inet_common.h>
+-#include <net/inet_hashtables.h>
+-#include <net/inet6_hashtables.h>
+ #include <net/tcp_states.h>
+ #include <net/protocol.h>
+ #include <net/xfrm.h>
+@@ -222,15 +220,31 @@ discard:
+ return 0;
+ }
+
+-static int l2tp_ip6_open(struct sock *sk)
++static int l2tp_ip6_hash(struct sock *sk)
+ {
+- /* Prevent autobind. We don't have ports. */
+- inet_sk(sk)->inet_num = IPPROTO_L2TP;
++ if (sk_unhashed(sk)) {
++ write_lock_bh(&l2tp_ip6_lock);
++ sk_add_node(sk, &l2tp_ip6_table);
++ write_unlock_bh(&l2tp_ip6_lock);
++ }
++ return 0;
++}
+
++static void l2tp_ip6_unhash(struct sock *sk)
++{
++ if (sk_unhashed(sk))
++ return;
+ write_lock_bh(&l2tp_ip6_lock);
+- sk_add_node(sk, &l2tp_ip6_table);
++ sk_del_node_init(sk);
+ write_unlock_bh(&l2tp_ip6_lock);
++}
++
++static int l2tp_ip6_open(struct sock *sk)
++{
++ /* Prevent autobind. We don't have ports. */
++ inet_sk(sk)->inet_num = IPPROTO_L2TP;
+
++ l2tp_ip6_hash(sk);
+ return 0;
+ }
+
+@@ -728,8 +742,8 @@ static struct proto l2tp_ip6_prot = {
+ .sendmsg = l2tp_ip6_sendmsg,
+ .recvmsg = l2tp_ip6_recvmsg,
+ .backlog_rcv = l2tp_ip6_backlog_recv,
+- .hash = inet6_hash,
+- .unhash = inet_unhash,
++ .hash = l2tp_ip6_hash,
++ .unhash = l2tp_ip6_unhash,
+ .obj_size = sizeof(struct l2tp_ip6_sock),
+ #ifdef CONFIG_COMPAT
+ .compat_setsockopt = compat_ipv6_setsockopt,
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 May 2020 14:57:47 -0700
+Subject: net: be more gentle about silly gso requests coming from user
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7c6d2ecbda83150b2036a2b36b21381ad4667762 ]
+
+Recent change in virtio_net_hdr_to_skb() broke some packetdrill tests.
+
+When --mss=XXX option is set, packetdrill always provide gso_type & gso_size
+for its inbound packets, regardless of packet size.
+
+ if (packet->tcp && packet->mss) {
+ if (packet->ipv4)
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
+ gso.gso_size = packet->mss;
+ }
+
+Since many other programs could do the same, relax virtio_net_hdr_to_skb()
+to no longer return an error, but instead ignore gso settings.
+
+This keeps Willem intent to make sure no malicious packet could
+reach gso stack.
+
+Note that TCP stack has a special logic in tcp_set_skb_tso_segs()
+to clear gso_size for small packets.
+
+Fixes: 6dd912f82680 ("net: check untrusted gso_size at kernel entry")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -109,16 +109,17 @@ retry:
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size);
++ struct skb_shared_info *shinfo = skb_shinfo(skb);
+
+- if (skb->len - p_off <= gso_size)
+- return -EINVAL;
++ /* Too small packets are not really GSO ones. */
++ if (skb->len - p_off > gso_size) {
++ shinfo->gso_size = gso_size;
++ shinfo->gso_type = gso_type;
+
+- skb_shinfo(skb)->gso_size = gso_size;
+- skb_shinfo(skb)->gso_type = gso_type;
+-
+- /* Header must be checked, and gso_segs computed. */
+- skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
+- skb_shinfo(skb)->gso_segs = 0;
++ /* Header must be checked, and gso_segs computed. */
++ shinfo->gso_type |= SKB_GSO_DODGY;
++ shinfo->gso_segs = 0;
++ }
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 25 May 2020 15:07:40 -0400
+Subject: net: check untrusted gso_size at kernel entry
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 6dd912f82680761d8fb6b1bb274a69d4c7010988 ]
+
+Syzkaller again found a path to a kernel crash through bad gso input:
+a packet with gso size exceeding len.
+
+These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment.
+But they may affect gso size calculations earlier in the path.
+
+Now that we have thlen as of commit 9274124f023b ("net: stricter
+validation of untrusted gso packets"), check gso_size at entry too.
+
+Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -31,6 +31,7 @@ static inline int virtio_net_hdr_to_skb(
+ {
+ unsigned int gso_type = 0;
+ unsigned int thlen = 0;
++ unsigned int p_off = 0;
+ unsigned int ip_proto;
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+@@ -68,7 +69,8 @@ static inline int virtio_net_hdr_to_skb(
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
+
+- if (skb_transport_offset(skb) + thlen > skb_headlen(skb))
++ p_off = skb_transport_offset(skb) + thlen;
++ if (p_off > skb_headlen(skb))
+ return -EINVAL;
+ } else {
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+@@ -92,17 +94,25 @@ retry:
+ return -EINVAL;
+ }
+
+- if (keys.control.thoff + thlen > skb_headlen(skb) ||
++ p_off = keys.control.thoff + thlen;
++ if (p_off > skb_headlen(skb) ||
+ keys.basic.ip_proto != ip_proto)
+ return -EINVAL;
+
+ skb_set_transport_header(skb, keys.control.thoff);
++ } else if (gso_type) {
++ p_off = thlen;
++ if (p_off > skb_headlen(skb))
++ return -EINVAL;
+ }
+ }
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size);
+
++ if (skb->len - p_off <= gso_size)
++ return -EINVAL;
++
+ skb_shinfo(skb)->gso_size = gso_size;
+ skb_shinfo(skb)->gso_type = gso_type;
+
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Mark Bloch <markb@mellanox.com>
+Date: Wed, 20 May 2020 17:32:08 +0000
+Subject: net/mlx5: Fix crash upon suspend/resume
+
+From: Mark Bloch <markb@mellanox.com>
+
+[ Upstream commit 8fc3e29be9248048f449793502c15af329f35c6e ]
+
+Currently a Linux system with the mlx5 NIC always crashes upon
+hibernation - suspend/resume.
+
+Add basic callbacks so the NIC could be suspended and resumed.
+
+Fixes: 9603b61de1ee ("mlx5: Move pci device handling from mlx5_ib to mlx5_core")
+Tested-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Mark Bloch <markb@mellanox.com>
+Reviewed-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1554,6 +1554,22 @@ static void shutdown(struct pci_dev *pde
+ mlx5_pci_disable_device(dev);
+ }
+
++static int mlx5_suspend(struct pci_dev *pdev, pm_message_t state)
++{
++ struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
++
++ mlx5_unload_one(dev, false);
++
++ return 0;
++}
++
++static int mlx5_resume(struct pci_dev *pdev)
++{
++ struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
++
++ return mlx5_load_one(dev, false);
++}
++
+ static const struct pci_device_id mlx5_core_pci_table[] = {
+ { PCI_VDEVICE(MELLANOX, PCI_DEVICE_ID_MELLANOX_CONNECTIB) },
+ { PCI_VDEVICE(MELLANOX, 0x1012), MLX5_PCI_DEV_IS_VF}, /* Connect-IB VF */
+@@ -1597,6 +1613,8 @@ static struct pci_driver mlx5_core_drive
+ .id_table = mlx5_core_pci_table,
+ .probe = init_one,
+ .remove = remove_one,
++ .suspend = mlx5_suspend,
++ .resume = mlx5_resume,
+ .shutdown = shutdown,
+ .err_handler = &mlx5_err_handler,
+ .sriov_configure = mlx5_core_sriov_configure,
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Mon, 25 May 2020 16:18:14 +0800
+Subject: net: stmmac: enable timestamp snapshot for required PTP packets in dwmac v5.10a
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit f2fb6b6275eba9d312957ca44c487bd780da6169 ]
+
+For rx filter 'HWTSTAMP_FILTER_PTP_V2_EVENT', it should be
+PTP v2/802.AS1, any layer, any kind of event packet, but HW only
+take timestamp snapshot for below PTP message: sync, Pdelay_req,
+Pdelay_resp.
+
+Then it causes below issue when test E2E case:
+ptp4l[2479.534]: port 1: received DELAY_REQ without timestamp
+ptp4l[2481.423]: port 1: received DELAY_REQ without timestamp
+ptp4l[2481.758]: port 1: received DELAY_REQ without timestamp
+ptp4l[2483.524]: port 1: received DELAY_REQ without timestamp
+ptp4l[2484.233]: port 1: received DELAY_REQ without timestamp
+ptp4l[2485.750]: port 1: received DELAY_REQ without timestamp
+ptp4l[2486.888]: port 1: received DELAY_REQ without timestamp
+ptp4l[2487.265]: port 1: received DELAY_REQ without timestamp
+ptp4l[2487.316]: port 1: received DELAY_REQ without timestamp
+
+Timestamp snapshot dependency on register bits in received path:
+SNAPTYPSEL TSMSTRENA TSEVNTENA PTP_Messages
+01 x 0 SYNC, Follow_Up, Delay_Req,
+ Delay_Resp, Pdelay_Req, Pdelay_Resp,
+ Pdelay_Resp_Follow_Up
+01 0 1 SYNC, Pdelay_Req, Pdelay_Resp
+
+For dwmac v5.10a, enabling all events by setting register
+DWC_EQOS_TIME_STAMPING[SNAPTYPSEL] to 2’b01, clearing bit [TSEVNTENA]
+to 0’b0, which can support all required events.
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -630,7 +630,8 @@ static int stmmac_hwtstamp_set(struct ne
+ config.rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT;
+ ptp_v2 = PTP_TCR_TSVER2ENA;
+ snap_type_sel = PTP_TCR_SNAPTYPSEL_1;
+- ts_event_en = PTP_TCR_TSEVNTENA;
++ if (priv->synopsys_id != DWMAC_CORE_5_10)
++ ts_event_en = PTP_TCR_TSEVNTENA;
+ ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA;
+ ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA;
+ ptp_over_ethernet = PTP_TCR_TSIPENA;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Mon, 25 May 2020 23:25:37 +0200
+Subject: net: usb: qmi_wwan: add Telit LE910C1-EUX composition
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+[ Upstream commit 591612aa578cd7148b7b9d74869ef40118978389 ]
+
+Add support for Telit LE910C1-EUX composition
+
+0x1031: tty, tty, tty, rmnet
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1324,6 +1324,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Chuhong Yuan <hslester96@gmail.com>
+Date: Thu, 28 May 2020 18:20:37 +0800
+Subject: NFC: st21nfca: add missed kfree_skb() in an error path
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 3decabdc714ca56c944f4669b4cdec5c2c1cea23 ]
+
+st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path.
+Add the missed function call to fix it.
+
+Fixes: 1892bf844ea0 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/dep.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nfc/st21nfca/dep.c
++++ b/drivers/nfc/st21nfca/dep.c
+@@ -173,8 +173,10 @@ static int st21nfca_tm_send_atr_res(stru
+ memcpy(atr_res->gbi, atr_req->gbi, gb_len);
+ r = nfc_set_remote_general_bytes(hdev->ndev, atr_res->gbi,
+ gb_len);
+- if (r < 0)
++ if (r < 0) {
++ kfree_skb(skb);
+ return r;
++ }
+ }
+
+ info->dep_info.curr_nfc_dep_pni = 0;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Heinrich Kuhn <heinrich.kuhn@netronome.com>
+Date: Wed, 27 May 2020 09:44:20 +0200
+Subject: nfp: flower: fix used time of merge flow statistics
+
+From: Heinrich Kuhn <heinrich.kuhn@netronome.com>
+
+[ Upstream commit 5b186cd60f033110960a3db424ffbd6de4cee528 ]
+
+Prior to this change the correct value for the used counter is calculated
+but not stored nor, therefore, propagated to user-space. In use-cases such
+as OVS use-case at least this results in active flows being removed from
+the hardware datapath. Which results in both unnecessary flow tear-down
+and setup, and packet processing on the host.
+
+This patch addresses the problem by saving the calculated used value
+which allows the value to propagate to user-space.
+
+Found by inspection.
+
+Fixes: aa6ce2ea0c93 ("nfp: flower: support stats update for merge flows")
+Signed-off-by: Heinrich Kuhn <heinrich.kuhn@netronome.com>
+Signed-off-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/offload.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/offload.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c
+@@ -1368,7 +1368,8 @@ __nfp_flower_update_merge_stats(struct n
+ ctx_id = be32_to_cpu(sub_flow->meta.host_ctx_id);
+ priv->stats[ctx_id].pkts += pkts;
+ priv->stats[ctx_id].bytes += bytes;
+- max_t(u64, priv->stats[ctx_id].used, used);
++ priv->stats[ctx_id].used = max_t(u64, used,
++ priv->stats[ctx_id].used);
+ }
+ }
+
--- /dev/null
+devinet-fix-memleak-in-inetdev_init.patch
+l2tp-add-sk_family-checks-to-l2tp_validate_socket.patch
+l2tp-do-not-use-inet_hash-inet_unhash.patch
+net-mlx5-fix-crash-upon-suspend-resume.patch
+net-stmmac-enable-timestamp-snapshot-for-required-ptp-packets-in-dwmac-v5.10a.patch
+net-usb-qmi_wwan-add-telit-le910c1-eux-composition.patch
+nfc-st21nfca-add-missed-kfree_skb-in-an-error-path.patch
+nfp-flower-fix-used-time-of-merge-flow-statistics.patch
+vsock-fix-timeout-in-vsock_accept.patch
+net-check-untrusted-gso_size-at-kernel-entry.patch
+net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:42 PM CEST
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Wed, 27 May 2020 09:56:55 +0200
+Subject: vsock: fix timeout in vsock_accept()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 ]
+
+The accept(2) is an "input" socket interface, so we should use
+SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
+
+So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
+use the right timeout in the vsock_accept().
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1275,7 +1275,7 @@ static int vsock_accept(struct socket *s
+ /* Wait for children sockets to appear; these are the new sockets
+ * created upon connection establishment.
+ */
+- timeout = sock_sndtimeo(listener, flags & O_NONBLOCK);
++ timeout = sock_rcvtimeo(listener, flags & O_NONBLOCK);
+ prepare_to_wait(sk_sleep(listener), &wait, TASK_INTERRUPTIBLE);
+
+ while ((connected = vsock_dequeue_accept(listener)) == NULL &&
projects / thirdparty / kernel / stable-queue.git / commitdiff
