--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 29 Dec 2018 13:56:36 -0800
+Subject: ax25: fix a use-after-free in ax25_fillin_cb()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit c433570458e49bccea5c551df628d058b3526289 ]
+
+There are multiple issues here:
+
+1. After freeing dev->ax25_ptr, we need to set it to NULL otherwise
+ we may use a dangling pointer.
+
+2. There is a race between ax25_setsockopt() and device notifier as
+ reported by syzbot. Close it by holding RTNL lock.
+
+3. We need to test if dev->ax25_ptr is NULL before using it.
+
+Reported-and-tested-by: syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 11 +++++++++--
+ net/ax25/ax25_dev.c | 2 ++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket
+ break;
+ }
+
+- dev = dev_get_by_name(&init_net, devname);
++ rtnl_lock();
++ dev = __dev_get_by_name(&init_net, devname);
+ if (!dev) {
++ rtnl_unlock();
+ res = -ENODEV;
+ break;
+ }
+
+ ax25->ax25_dev = ax25_dev_ax25dev(dev);
++ if (!ax25->ax25_dev) {
++ rtnl_unlock();
++ res = -ENODEV;
++ break;
++ }
+ ax25_fillin_cb(ax25, ax25->ax25_dev);
+- dev_put(dev);
++ rtnl_unlock();
+ break;
+
+ default:
+--- a/net/ax25/ax25_dev.c
++++ b/net/ax25/ax25_dev.c
+@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_dev
+ if ((s = ax25_dev_list) == ax25_dev) {
+ ax25_dev_list = s->next;
+ spin_unlock_bh(&ax25_dev_lock);
++ dev->ax25_ptr = NULL;
+ dev_put(dev);
+ kfree(ax25_dev);
+ return;
+@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_dev
+ if (s->next == ax25_dev) {
+ s->next = ax25_dev->next;
+ spin_unlock_bh(&ax25_dev_lock);
++ dev->ax25_ptr = NULL;
+ dev_put(dev);
+ kfree(ax25_dev);
+ return;
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Wed, 19 Dec 2018 23:23:00 +0100
+Subject: gro_cell: add napi_disable in gro_cells_destroy
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 8e1da73acded4751a93d4166458a7e640f37d26c ]
+
+Add napi_disable routine in gro_cells_destroy since starting from
+commit c42858eaf492 ("gro_cells: remove spinlock protecting receive
+queues") gro_cell_poll and gro_cells_destroy can run concurrently on
+napi_skbs list producing a kernel Oops if the tunnel interface is
+removed while gro_cell_poll is running. The following Oops has been
+triggered removing a vxlan device while the interface is receiving
+traffic
+
+[ 5628.948853] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+[ 5628.949981] PGD 0 P4D 0
+[ 5628.950308] Oops: 0002 [#1] SMP PTI
+[ 5628.950748] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #41
+[ 5628.952940] RIP: 0010:gro_cell_poll+0x49/0x80
+[ 5628.955615] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202
+[ 5628.956250] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000
+[ 5628.957102] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150
+[ 5628.957940] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000
+[ 5628.958803] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040
+[ 5628.959661] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040
+[ 5628.960682] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
+[ 5628.961616] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 5628.962359] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0
+[ 5628.963188] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 5628.964034] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 5628.964871] Call Trace:
+[ 5628.965179] net_rx_action+0xf0/0x380
+[ 5628.965637] __do_softirq+0xc7/0x431
+[ 5628.966510] run_ksoftirqd+0x24/0x30
+[ 5628.966957] smpboot_thread_fn+0xc5/0x160
+[ 5628.967436] kthread+0x113/0x130
+[ 5628.968283] ret_from_fork+0x3a/0x50
+[ 5628.968721] Modules linked in:
+[ 5628.969099] CR2: 0000000000000008
+[ 5628.969510] ---[ end trace 9d9dedc7181661fe ]---
+[ 5628.970073] RIP: 0010:gro_cell_poll+0x49/0x80
+[ 5628.972965] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202
+[ 5628.973611] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000
+[ 5628.974504] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150
+[ 5628.975462] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000
+[ 5628.976413] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040
+[ 5628.977375] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040
+[ 5628.978296] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
+[ 5628.979327] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 5628.980044] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0
+[ 5628.980929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 5628.981736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 5628.982409] Kernel panic - not syncing: Fatal exception in interrupt
+[ 5628.983307] Kernel Offset: disabled
+
+Fixes: c42858eaf492 ("gro_cells: remove spinlock protecting receive queues")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/gro_cells.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/net/gro_cells.h
++++ b/include/net/gro_cells.h
+@@ -86,6 +86,7 @@ static inline void gro_cells_destroy(str
+ for_each_possible_cpu(i) {
+ struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
+
++ napi_disable(&cell->napi);
+ netif_napi_del(&cell->napi);
+ __skb_queue_purge(&cell->napi_skbs);
+ }
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Mon, 31 Dec 2018 15:43:01 -0600
+Subject: ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
+
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+
+[ Upstream commit 756af9c642329d54f048bac2a62f829b391f6944 ]
+
+Commit 33a48ab105a7 ("ibmveth: Fix DMA unmap error") fixed an issue in the
+normal code path of ibmveth_xmit_start() that was originally introduced by
+Commit 6e8ab30ec677 ("ibmveth: Add scatter-gather support"). This original
+fix missed the error path where dma_unmap_page is wrongly called on the
+header portion in descs[0] which was mapped with dma_map_single. As a
+result a failure to DMA map any of the frags results in a dmesg warning
+when CONFIG_DMA_API_DEBUG is enabled.
+
+------------[ cut here ]------------
+DMA-API: ibmveth 30000002: device driver frees DMA memory with wrong function
+ [device address=0x000000000a430000] [size=172 bytes] [mapped as page] [unmapped as single]
+WARNING: CPU: 1 PID: 8426 at kernel/dma/debug.c:1085 check_unmap+0x4fc/0xe10
+...
+<snip>
+...
+DMA-API: Mapped at:
+ibmveth_start_xmit+0x30c/0xb60
+dev_hard_start_xmit+0x100/0x450
+sch_direct_xmit+0x224/0x490
+__qdisc_run+0x20c/0x980
+__dev_queue_xmit+0x1bc/0xf20
+
+This fixes the API misuse by unampping descs[0] with dma_unmap_single.
+
+Fixes: 6e8ab30ec677 ("ibmveth: Add scatter-gather support")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1162,11 +1162,15 @@ out:
+
+ map_failed_frags:
+ last = i+1;
+- for (i = 0; i < last; i++)
++ for (i = 1; i < last; i++)
+ dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
+ descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
+ DMA_TO_DEVICE);
+
++ dma_unmap_single(&adapter->vdev->dev,
++ descs[0].fields.address,
++ descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
++ DMA_TO_DEVICE);
+ map_failed:
+ if (!firmware_has_feature(FW_FEATURE_CMO))
+ netdev_err(netdev, "tx: unable to map xmit buffer\n");
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Willem de Bruijn <willemb@google.com>
+Date: Sun, 23 Dec 2018 12:52:18 -0500
+Subject: ieee802154: lowpan_header_create check must check daddr
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 40c3ff6d5e0809505a067dd423c110c5658c478c ]
+
+Packet sockets may call dev_header_parse with NULL daddr. Make
+lowpan_header_ops.create fail.
+
+Fixes: 87a93e4eceb4 ("ieee802154: change needed headroom/tailroom")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Alexander Aring <aring@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/6lowpan/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/6lowpan/tx.c
++++ b/net/ieee802154/6lowpan/tx.c
+@@ -48,6 +48,9 @@ int lowpan_header_create(struct sk_buff
+ const struct ipv6hdr *hdr = ipv6_hdr(skb);
+ struct neighbour *n;
+
++ if (!daddr)
++ return -EINVAL;
++
+ /* TODO:
+ * if this package isn't ipv6 one, where should it be routed?
+ */
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 18 Dec 2018 21:17:44 -0800
+Subject: ipv6: explicitly initialize udp6_addr in udp_sock_create6()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit fb24274546310872eeeaf3d1d53799d8414aa0f2 ]
+
+syzbot reported the use of uninitialized udp6_addr::sin6_scope_id.
+We can just set ::sin6_scope_id to zero, as tunnels are unlikely
+to use an IPv6 address that needs a scope id and there is no
+interface to bind in this context.
+
+For net-next, it looks different as we have cfg->bind_ifindex there
+so we can probably call ipv6_iface_scope_id().
+
+Same for ::sin6_flowinfo, tunnels don't use it.
+
+Fixes: 8024e02879dd ("udp: Add udp_sock_create for UDP tunnels to open listener socket")
+Reported-by: syzbot+c56449ed3652e6720f30@syzkaller.appspotmail.com
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_udp_tunnel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_udp_tunnel.c
++++ b/net/ipv6/ip6_udp_tunnel.c
+@@ -15,7 +15,7 @@
+ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- struct sockaddr_in6 udp6_addr;
++ struct sockaddr_in6 udp6_addr = {};
+ int err;
+ struct socket *sock = NULL;
+
+@@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, st
+ goto error;
+
+ if (cfg->peer_udp_port) {
++ memset(&udp6_addr, 0, sizeof(udp6_addr));
+ udp6_addr.sin6_family = AF_INET6;
+ memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6,
+ sizeof(udp6_addr.sin6_addr));
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 21 Dec 2018 07:47:51 -0800
+Subject: ipv6: tunnels: fix two use-after-free
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cbb49697d5512ce9e61b45ce75d3ee43d7ea5524 ]
+
+xfrm6_policy_check() might have re-allocated skb->head, we need
+to reload ipv6 header pointer.
+
+sysbot reported :
+
+BUG: KASAN: use-after-free in __ipv6_addr_type+0x302/0x32f net/ipv6/addrconf_core.c:40
+Read of size 4 at addr ffff888191b8cb70 by task syz-executor2/1304
+
+CPU: 0 PID: 1304 Comm: syz-executor2 Not tainted 4.20.0-rc7+ #356
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x244/0x39d lib/dump_stack.c:113
+ print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
+ __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
+ __ipv6_addr_type+0x302/0x32f net/ipv6/addrconf_core.c:40
+ ipv6_addr_type include/net/ipv6.h:403 [inline]
+ ip6_tnl_get_cap+0x27/0x190 net/ipv6/ip6_tunnel.c:727
+ ip6_tnl_rcv_ctl+0xdb/0x2a0 net/ipv6/ip6_tunnel.c:757
+ vti6_rcv+0x336/0x8f3 net/ipv6/ip6_vti.c:321
+ xfrm6_ipcomp_rcv+0x1a5/0x3a0 net/ipv6/xfrm6_protocol.c:132
+ ip6_protocol_deliver_rcu+0x372/0x1940 net/ipv6/ip6_input.c:394
+ ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:434
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:443
+IPVS: ftp: loaded support on port[0] = 21
+ ip6_mc_input+0x514/0x11c0 net/ipv6/ip6_input.c:537
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ ipv6_rcv+0x115/0x640 net/ipv6/ip6_input.c:272
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4973
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5083
+ process_backlog+0x24e/0x7a0 net/core/dev.c:5923
+ napi_poll net/core/dev.c:6346 [inline]
+ net_rx_action+0x7fa/0x19b0 net/core/dev.c:6412
+ __do_softirq+0x308/0xb7e kernel/softirq.c:292
+ do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027
+ </IRQ>
+ do_softirq.part.14+0x126/0x160 kernel/softirq.c:337
+ do_softirq+0x19/0x20 kernel/softirq.c:340
+ netif_rx_ni+0x521/0x860 net/core/dev.c:4569
+ dev_loopback_xmit+0x287/0x8c0 net/core/dev.c:3576
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ ip6_finish_output2+0x193a/0x2930 net/ipv6/ip6_output.c:84
+ ip6_fragment+0x2b06/0x3850 net/ipv6/ip6_output.c:727
+ ip6_finish_output+0x6b7/0xc50 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:278 [inline]
+ ip6_output+0x232/0x9d0 net/ipv6/ip6_output.c:171
+ dst_output include/net/dst.h:444 [inline]
+ ip6_local_out+0xc5/0x1b0 net/ipv6/output_core.c:176
+ ip6_send_skb+0xbc/0x340 net/ipv6/ip6_output.c:1727
+ ip6_push_pending_frames+0xc5/0xf0 net/ipv6/ip6_output.c:1747
+ rawv6_push_pending_frames net/ipv6/raw.c:615 [inline]
+ rawv6_sendmsg+0x3a3e/0x4b40 net/ipv6/raw.c:945
+kobject: 'queues' (0000000089e6eea2): kobject_add_internal: parent: 'tunl0', set: '<NULL>'
+kobject: 'queues' (0000000089e6eea2): kobject_uevent_env
+ inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
+kobject: 'queues' (0000000089e6eea2): kobject_uevent_env: filter function caused the event to drop!
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:631
+ sock_write_iter+0x35e/0x5c0 net/socket.c:900
+ call_write_iter include/linux/fs.h:1857 [inline]
+ new_sync_write fs/read_write.c:474 [inline]
+ __vfs_write+0x6b8/0x9f0 fs/read_write.c:487
+kobject: 'rx-0' (00000000e2d902d9): kobject_add_internal: parent: 'queues', set: 'queues'
+kobject: 'rx-0' (00000000e2d902d9): kobject_uevent_env
+ vfs_write+0x1fc/0x560 fs/read_write.c:549
+ ksys_write+0x101/0x260 fs/read_write.c:598
+kobject: 'rx-0' (00000000e2d902d9): fill_kobj_path: path = '/devices/virtual/net/tunl0/queues/rx-0'
+ __do_sys_write fs/read_write.c:610 [inline]
+ __se_sys_write fs/read_write.c:607 [inline]
+ __x64_sys_write+0x73/0xb0 fs/read_write.c:607
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+kobject: 'tx-0' (00000000443b70ac): kobject_add_internal: parent: 'queues', set: 'queues'
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x457669
+Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f9bd200bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
+RDX: 000000000000058f RSI: 00000000200033c0 RDI: 0000000000000003
+kobject: 'tx-0' (00000000443b70ac): kobject_uevent_env
+RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9bd200c6d4
+R13: 00000000004c2dcc R14: 00000000004da398 R15: 00000000ffffffff
+
+Allocated by task 1304:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
+ __do_kmalloc_node mm/slab.c:3684 [inline]
+ __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3698
+ __kmalloc_reserve.isra.41+0x41/0xe0 net/core/skbuff.c:140
+ __alloc_skb+0x155/0x760 net/core/skbuff.c:208
+kobject: 'tx-0' (00000000443b70ac): fill_kobj_path: path = '/devices/virtual/net/tunl0/queues/tx-0'
+ alloc_skb include/linux/skbuff.h:1011 [inline]
+ __ip6_append_data.isra.49+0x2f1a/0x3f50 net/ipv6/ip6_output.c:1450
+ ip6_append_data+0x1bc/0x2d0 net/ipv6/ip6_output.c:1619
+ rawv6_sendmsg+0x15ab/0x4b40 net/ipv6/raw.c:938
+ inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:631
+ ___sys_sendmsg+0x7fd/0x930 net/socket.c:2116
+ __sys_sendmsg+0x11d/0x280 net/socket.c:2154
+ __do_sys_sendmsg net/socket.c:2163 [inline]
+ __se_sys_sendmsg net/socket.c:2161 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2161
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+kobject: 'gre0' (00000000cb1b2d7b): kobject_add_internal: parent: 'net', set: 'devices'
+
+Freed by task 1304:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kfree+0xcf/0x230 mm/slab.c:3817
+ skb_free_head+0x93/0xb0 net/core/skbuff.c:553
+ pskb_expand_head+0x3b2/0x10d0 net/core/skbuff.c:1498
+ __pskb_pull_tail+0x156/0x18a0 net/core/skbuff.c:1896
+ pskb_may_pull include/linux/skbuff.h:2188 [inline]
+ _decode_session6+0xd11/0x14d0 net/ipv6/xfrm6_policy.c:150
+ __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:3272
+kobject: 'gre0' (00000000cb1b2d7b): kobject_uevent_env
+ __xfrm_policy_check+0x380/0x2c40 net/xfrm/xfrm_policy.c:3322
+ __xfrm_policy_check2 include/net/xfrm.h:1170 [inline]
+ xfrm_policy_check include/net/xfrm.h:1175 [inline]
+ xfrm6_policy_check include/net/xfrm.h:1185 [inline]
+ vti6_rcv+0x4bd/0x8f3 net/ipv6/ip6_vti.c:316
+ xfrm6_ipcomp_rcv+0x1a5/0x3a0 net/ipv6/xfrm6_protocol.c:132
+ ip6_protocol_deliver_rcu+0x372/0x1940 net/ipv6/ip6_input.c:394
+ ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:434
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:443
+ ip6_mc_input+0x514/0x11c0 net/ipv6/ip6_input.c:537
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ ipv6_rcv+0x115/0x640 net/ipv6/ip6_input.c:272
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4973
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5083
+ process_backlog+0x24e/0x7a0 net/core/dev.c:5923
+kobject: 'gre0' (00000000cb1b2d7b): fill_kobj_path: path = '/devices/virtual/net/gre0'
+ napi_poll net/core/dev.c:6346 [inline]
+ net_rx_action+0x7fa/0x19b0 net/core/dev.c:6412
+ __do_softirq+0x308/0xb7e kernel/softirq.c:292
+
+The buggy address belongs to the object at ffff888191b8cac0
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 176 bytes inside of
+ 512-byte region [ffff888191b8cac0, ffff888191b8ccc0)
+The buggy address belongs to the page:
+page:ffffea000646e300 count:1 mapcount:0 mapping:ffff8881da800940 index:0x0
+flags: 0x2fffc0000000200(slab)
+raw: 02fffc0000000200 ffffea0006eaaa48 ffffea00065356c8 ffff8881da800940
+raw: 0000000000000000 ffff888191b8c0c0 0000000100000006 0000000000000000
+page dumped because: kasan: bad access detected
+kobject: 'queues' (000000005fd6226e): kobject_add_internal: parent: 'gre0', set: '<NULL>'
+
+Memory state around the buggy address:
+ ffff888191b8ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff888191b8ca80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+>ffff888191b8cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888191b8cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888191b8cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 0d3c703a9d17 ("ipv6: Cleanup IPv6 tunnel receive path")
+Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 1 +
+ net/ipv6/ip6_vti.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -907,6 +907,7 @@ static int ipxip6_rcv(struct sk_buff *sk
+ goto drop;
+ if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
+ goto drop;
++ ipv6h = ipv6_hdr(skb);
+ if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr))
+ goto drop;
+ if (iptunnel_pull_header(skb, 0, tpi->proto, false))
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -318,6 +318,7 @@ static int vti6_rcv(struct sk_buff *skb)
+ return 0;
+ }
+
++ ipv6h = ipv6_hdr(skb);
+ if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
+ t->dev->stats.rx_dropped++;
+ rcu_read_unlock();
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 2 Jan 2019 09:20:27 -0800
+Subject: isdn: fix kernel-infoleak in capi_unlocked_ioctl
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d63967e475ae10f286dbd35e189cb241e0b1f284 ]
+
+Since capi_ioctl() copies 64 bytes after calling
+capi20_get_manufacturer() we need to ensure to not leak
+information to user.
+
+BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+CPU: 0 PID: 11245 Comm: syz-executor633 Not tainted 4.20.0-rc7+ #2
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x173/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
+ kmsan_internal_check_memory+0x9d4/0xb00 mm/kmsan/kmsan.c:704
+ kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ capi_ioctl include/linux/uaccess.h:177 [inline]
+ capi_unlocked_ioctl+0x1a0b/0x1bf0 drivers/isdn/capi/capi.c:939
+ do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
+ ksys_ioctl fs/ioctl.c:713 [inline]
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718
+ __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x440019
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffdd4659fb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
+RDX: 0000000020000080 RSI: 00000000c0044306 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
+R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004018a0
+R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----data.i@capi_unlocked_ioctl
+Variable was created at:
+ capi_ioctl drivers/isdn/capi/capi.c:747 [inline]
+ capi_unlocked_ioctl+0x82/0x1bf0 drivers/isdn/capi/capi.c:939
+ do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
+
+Bytes 12-63 of 64 are uninitialized
+Memory access of size 64 starts at ffff88807ac5fce8
+Data copied to user address 0000000020000080
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/capi/kcapi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -851,7 +851,7 @@ u16 capi20_get_manufacturer(u32 contr, u
+ u16 ret;
+
+ if (contr == 0) {
+- strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
++ strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
+ return CAPI_NOERROR;
+ }
+
+@@ -859,7 +859,7 @@ u16 capi20_get_manufacturer(u32 contr, u
+
+ ctr = get_capi_ctr_by_nr(contr);
+ if (ctr && ctr->state == CAPI_CTR_RUNNING) {
+- strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
++ strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
+ ret = CAPI_NOERROR;
+ } else
+ ret = CAPI_REGNOTINSTALLED;
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Thu, 13 Dec 2018 17:23:32 +0100
+Subject: net: ipv4: do not handle duplicate fragments as overlapping
+
+From: Michal Kubecek <mkubecek@suse.cz>
+
+[ Upstream commit ade446403bfb79d3528d56071a84b15351a139ad ]
+
+Since commit 7969e5c40dfd ("ip: discard IPv4 datagrams with overlapping
+segments.") IPv4 reassembly code drops the whole queue whenever an
+overlapping fragment is received. However, the test is written in a way
+which detects duplicate fragments as overlapping so that in environments
+with many duplicate packets, fragmented packets may be undeliverable.
+
+Add an extra test and for (potentially) duplicate fragment, only drop the
+new fragment rather than the whole queue. Only starting offset and length
+are checked, not the contents of the fragments as that would be too
+expensive. For similar reason, linear list ("run") of a rbtree node is not
+iterated, we only check if the new fragment is a subset of the interval
+covered by existing consecutive fragments.
+
+v2: instead of an exact check iterating through linear list of an rbtree
+node, only check if the new fragment is subset of the "run" (suggested
+by Eric Dumazet)
+
+Fixes: 7969e5c40dfd ("ip: discard IPv4 datagrams with overlapping segments.")
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_fragment.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -345,10 +345,10 @@ static int ip_frag_queue(struct ipq *qp,
+ struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
+ struct rb_node **rbn, *parent;
+ struct sk_buff *skb1, *prev_tail;
++ int ihl, end, skb1_run_end;
+ struct net_device *dev;
+ unsigned int fragsize;
+ int flags, offset;
+- int ihl, end;
+ int err = -ENOENT;
+ u8 ecn;
+
+@@ -418,7 +418,9 @@ static int ip_frag_queue(struct ipq *qp,
+ * overlapping fragment, the entire datagram (and any constituent
+ * fragments) MUST be silently discarded.
+ *
+- * We do the same here for IPv4 (and increment an snmp counter).
++ * We do the same here for IPv4 (and increment an snmp counter) but
++ * we do not want to drop the whole queue in response to a duplicate
++ * fragment.
+ */
+
+ /* Find out where to put this fragment. */
+@@ -442,13 +444,17 @@ static int ip_frag_queue(struct ipq *qp,
+ do {
+ parent = *rbn;
+ skb1 = rb_to_skb(parent);
++ skb1_run_end = skb1->ip_defrag_offset +
++ FRAG_CB(skb1)->frag_run_len;
+ if (end <= skb1->ip_defrag_offset)
+ rbn = &parent->rb_left;
+- else if (offset >= skb1->ip_defrag_offset +
+- FRAG_CB(skb1)->frag_run_len)
++ else if (offset >= skb1_run_end)
+ rbn = &parent->rb_right;
+- else /* Found an overlap with skb1. */
+- goto discard_qp;
++ else if (offset >= skb1->ip_defrag_offset &&
++ end <= skb1_run_end)
++ goto err; /* No new data, potential duplicate */
++ else
++ goto discard_qp; /* Found an overlap */
+ } while (*rbn);
+ /* Here we have parent properly set, and rbn pointing to
+ * one of its NULL left/right children. Insert skb.
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Yuval Avnery <yuvalav@mellanox.com>
+Date: Thu, 13 Dec 2018 02:26:46 +0200
+Subject: net/mlx5: Typo fix in del_sw_hw_rule
+
+From: Yuval Avnery <yuvalav@mellanox.com>
+
+[ Upstream commit f0337889147c956721696553ffcc97212b0948fe ]
+
+Expression terminated with "," instead of ";", resulted in
+set_fte getting bad value for modify_enable_mask field.
+
+Fixes: bd5251dbf156 ("net/mlx5_core: Introduce flow steering destination of type counter")
+Signed-off-by: Yuval Avnery <yuvalav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -390,7 +390,7 @@ static void del_rule(struct fs_node *nod
+ }
+ if ((fte->action & MLX5_FLOW_CONTEXT_ACTION_FWD_DEST) &&
+ --fte->dests_size) {
+- modify_mask = BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_DESTINATION_LIST),
++ modify_mask = BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_DESTINATION_LIST);
+ err = mlx5_cmd_update_fte(dev, ft,
+ fg->id,
+ modify_mask,
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Alaa Hleihel <alaa@mellanox.com>
+Date: Sun, 25 Nov 2018 11:46:09 +0200
+Subject: net/mlx5e: Remove the false indication of software timestamping support
+
+From: Alaa Hleihel <alaa@mellanox.com>
+
+[ Upstream commit 4765420439e758bfa4808392d18b0a4cb6f06065 ]
+
+mlx5 driver falsely advertises support of software timestamping.
+Fix it by removing the false indication.
+
+Fixes: ef9814deafd0 ("net/mlx5e: Add HW timestamping (TS) support")
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1167,11 +1167,6 @@ static int mlx5e_get_ts_info(struct net_
+ struct ethtool_ts_info *info)
+ {
+ struct mlx5e_priv *priv = netdev_priv(dev);
+- int ret;
+-
+- ret = ethtool_op_get_ts_info(dev, info);
+- if (ret)
+- return ret;
+
+ info->phc_index = priv->tstamp.ptp ?
+ ptp_clock_index(priv->tstamp.ptp) : -1;
+@@ -1179,9 +1174,9 @@ static int mlx5e_get_ts_info(struct net_
+ if (!MLX5_CAP_GEN(priv->mdev, device_frequency_khz))
+ return 0;
+
+- info->so_timestamping |= SOF_TIMESTAMPING_TX_HARDWARE |
+- SOF_TIMESTAMPING_RX_HARDWARE |
+- SOF_TIMESTAMPING_RAW_HARDWARE;
++ info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE |
++ SOF_TIMESTAMPING_RX_HARDWARE |
++ SOF_TIMESTAMPING_RAW_HARDWARE;
+
+ info->tx_types = BIT(HWTSTAMP_TX_OFF) |
+ BIT(HWTSTAMP_TX_ON);
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Tue, 18 Dec 2018 16:57:04 +0900
+Subject: net: phy: Fix the issue that netif always links up after resuming
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit 8742beb50f2db903d3b6d69ddd81d67ce9914453 ]
+
+Even though the link is down before entering hibernation,
+there is an issue that the network interface always links up after resuming
+from hibernation.
+
+If the link is still down before enabling the network interface,
+and after resuming from hibernation, the phydev->state is forcibly set
+to PHY_UP in mdio_bus_phy_restore(), and the link becomes up.
+
+In suspend sequence, only if the PHY is attached, mdio_bus_phy_suspend()
+calls phy_stop_machine(), and mdio_bus_phy_resume() calls
+phy_start_machine().
+In resume sequence, it's enough to do the same as mdio_bus_phy_resume()
+because the state has been preserved.
+
+This patch fixes the issue by calling phy_start_machine() in
+mdio_bus_phy_restore() in the same way as mdio_bus_phy_resume().
+
+Fixes: bc87922ff59d ("phy: Move PHY PM operations into phy_device")
+Suggested-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -163,11 +163,8 @@ static int mdio_bus_phy_restore(struct d
+ if (ret < 0)
+ return ret;
+
+- /* The PHY needs to renegotiate. */
+- phydev->link = 0;
+- phydev->state = PHY_UP;
+-
+- phy_start_machine(phydev);
++ if (phydev->attached_dev && phydev->adjust_link)
++ phy_start_machine(phydev);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 29 Dec 2018 13:56:37 -0800
+Subject: net/wan: fix a double free in x25_asy_open_tty()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit d5c7c745f254c6cb98b3b3f15fe789b8bd770c72 ]
+
+When x25_asy_open() fails, it already cleans up by itself,
+so its caller doesn't need to free the memory again.
+
+It seems we still have to call x25_asy_free() to clear the SLF_INUSE
+bit, so just set these pointers to NULL after kfree().
+
+Reported-and-tested-by: syzbot+5e5e969e525129229052@syzkaller.appspotmail.com
+Fixes: 3b780bed3138 ("x25_asy: Free x25_asy on x25_asy_open() failure.")
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/x25_asy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wan/x25_asy.c
++++ b/drivers/net/wan/x25_asy.c
+@@ -488,8 +488,10 @@ static int x25_asy_open(struct net_devic
+
+ /* Cleanup */
+ kfree(sl->xbuff);
++ sl->xbuff = NULL;
+ noxbuff:
+ kfree(sl->rbuff);
++ sl->rbuff = NULL;
+ norbuff:
+ return -ENOMEM;
+ }
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 29 Dec 2018 13:56:38 -0800
+Subject: netrom: fix locking in nr_find_socket()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 7314f5480f3e37e570104dc5e0f28823ef849e72 ]
+
+nr_find_socket(), nr_find_peer() and nr_find_listener() lock the
+sock after finding it in the global list. However, the call path
+requires BH disabled for the sock lock consistently.
+
+Actually the locking is unnecessary at this point, we can just hold
+the sock refcnt to make sure it is not gone after we unlock the global
+list, and lock it later only when needed.
+
+Reported-and-tested-by: syzbot+f621cda8b7e598908efa@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax2
+ sk_for_each(s, &nr_list)
+ if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
+ s->sk_state == TCP_LISTEN) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ s = NULL;
+@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsig
+ struct nr_sock *nr = nr_sk(s);
+
+ if (nr->my_index == index && nr->my_id == id) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ }
+@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigne
+
+ if (nr->your_index == index && nr->your_id == id &&
+ !ax25cmp(&nr->dest_addr, dest)) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ }
+@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circu
+ if (i != 0 && j != 0) {
+ if ((sk=nr_find_socket(i, j)) == NULL)
+ break;
+- bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ id++;
+@@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ }
+
+ if (sk != NULL) {
++ bh_lock_sock(sk);
+ skb_reset_transport_header(skb);
+
+ if (frametype == NR_CONNACK && skb->len == 22)
+@@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+
+ ret = nr_process_rx_frame(sk, skb);
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ return ret;
+ }
+
+@@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, str
+ (make = nr_make_new(sk)) == NULL) {
+ nr_transmit_refusal(skb, 0);
+ if (sk)
+- bh_unlock_sock(sk);
++ sock_put(sk);
+ return 0;
+ }
+
++ bh_lock_sock(sk);
++
+ window = skb->data[20];
+
+ skb->sk = make;
+@@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ sk->sk_data_ready(sk);
+
+ bh_unlock_sock(sk);
++ sock_put(sk);
+
+ nr_insert_socket(make);
+
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Willem de Bruijn <willemb@google.com>
+Date: Sat, 22 Dec 2018 16:53:45 -0500
+Subject: packet: validate address length if non-zero
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 6b8d95f1795c42161dc0984b6863e95d6acf24ed ]
+
+Validate packet socket address length if a length is given. Zero
+length is equivalent to not setting an address.
+
+Fixes: 99137b7888f4 ("packet: validate address length")
+Reported-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2660,7 +2660,7 @@ static int tpacket_snd(struct packet_soc
+ sll_addr)))
+ goto out;
+ proto = saddr->sll_protocol;
+- addr = saddr->sll_addr;
++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+ goto out;
+@@ -2859,7 +2859,7 @@ static int packet_snd(struct socket *soc
+ if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
+ goto out;
+ proto = saddr->sll_protocol;
+- addr = saddr->sll_addr;
++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+ goto out;
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 21 Dec 2018 12:06:59 -0500
+Subject: packet: validate address length
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 99137b7888f4058087895d035d81c6b2d31015c5 ]
+
+Packet sockets with SOCK_DGRAM may pass an address for use in
+dev_hard_header. Ensure that it is of sufficient length.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2662,6 +2662,8 @@ static int tpacket_snd(struct packet_soc
+ proto = saddr->sll_protocol;
+ addr = saddr->sll_addr;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
++ if (addr && dev && saddr->sll_halen < dev->addr_len)
++ goto out;
+ }
+
+ err = -ENXIO;
+@@ -2859,6 +2861,8 @@ static int packet_snd(struct socket *soc
+ proto = saddr->sll_protocol;
+ addr = saddr->sll_addr;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
++ if (addr && dev && saddr->sll_halen < dev->addr_len)
++ goto out;
+ }
+
+ err = -ENXIO;
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sun, 30 Dec 2018 12:43:42 -0800
+Subject: ptr_ring: wrap back ->producer in __ptr_ring_swap_queue()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit aff6db454599d62191aabc208930e891748e4322 ]
+
+__ptr_ring_swap_queue() tries to move pointers from the old
+ring to the new one, but it forgets to check if ->producer
+is beyond the new size at the end of the operation. This leads
+to an out-of-bound access in __ptr_ring_produce() as reported
+by syzbot.
+
+Reported-by: syzbot+8993c0fa96d57c399735@syzkaller.appspotmail.com
+Fixes: 5d49de532002 ("ptr_ring: resize support")
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ptr_ring.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/ptr_ring.h
++++ b/include/linux/ptr_ring.h
+@@ -384,6 +384,8 @@ static inline void **__ptr_ring_swap_que
+ else if (destroy)
+ destroy(ptr);
+
++ if (producer >= size)
++ producer = 0;
+ r->size = size;
+ r->producer = producer;
+ r->consumer = 0;
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 10 Dec 2018 18:00:52 +0800
+Subject: sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ]
+
+syzbot reported a kernel-infoleak, which is caused by an uninitialized
+field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event().
+The call trace is as below:
+
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
+ CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+ Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x32d/0x480 lib/dump_stack.c:113
+ kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
+ kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
+ kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
+ _copy_to_user+0x19a/0x230 lib/usercopy.c:33
+ copy_to_user include/linux/uaccess.h:183 [inline]
+ sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
+ sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
+ sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
+ __sys_getsockopt+0x489/0x550 net/socket.c:1939
+ __do_sys_getsockopt net/socket.c:1950 [inline]
+ __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
+ __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
+ do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+
+sin6_flowinfo is not really used by SCTP, so it will be fixed by simply
+setting it to 0.
+
+The issue exists since very beginning.
+Thanks Alexander for the reproducer provided.
+
+Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct n
+ if (addr) {
+ addr->a.v6.sin6_family = AF_INET6;
+ addr->a.v6.sin6_port = 0;
++ addr->a.v6.sin6_flowinfo = 0;
+ addr->a.v6.sin6_addr = ifa->addr;
+ addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
+ addr->valid = 1;
ipv4-fix-potential-spectre-v1-vulnerability.patch
net-core-fix-spectre-v1-vulnerability.patch
phonet-af_phonet-fix-spectre-v1-vulnerability.patch
+ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch
+ibmveth-fix-dma-unmap-error-in-ibmveth_xmit_start-error-path.patch
+ieee802154-lowpan_header_create-check-must-check-daddr.patch
+ipv6-explicitly-initialize-udp6_addr-in-udp_sock_create6.patch
+ipv6-tunnels-fix-two-use-after-free.patch
+isdn-fix-kernel-infoleak-in-capi_unlocked_ioctl.patch
+net-ipv4-do-not-handle-duplicate-fragments-as-overlapping.patch
+net-phy-fix-the-issue-that-netif-always-links-up-after-resuming.patch
+netrom-fix-locking-in-nr_find_socket.patch
+net-wan-fix-a-double-free-in-x25_asy_open_tty.patch
+packet-validate-address-length.patch
+packet-validate-address-length-if-non-zero.patch
+sctp-initialize-sin6_flowinfo-for-ipv6-addrs-in-sctp_inet6addr_event.patch
+tipc-fix-a-double-kfree_skb.patch
+vhost-make-sure-used-idx-is-seen-before-log-in-vhost_add_used_n.patch
+vsock-send-reset-control-packet-when-socket-is-partially-bound.patch
+xen-netfront-tolerate-frags-with-no-data.patch
+tipc-use-lock_sock-in-tipc_sk_reinit.patch
+tipc-compare-remote-and-local-protocols-in-tipc_udp_enable.patch
+gro_cell-add-napi_disable-in-gro_cells_destroy.patch
+net-mlx5e-remove-the-false-indication-of-software-timestamping-support.patch
+net-mlx5-typo-fix-in-del_sw_hw_rule.patch
+sock-make-sock-sk_stamp-thread-safe.patch
+ptr_ring-wrap-back-producer-in-__ptr_ring_swap_queue.patch
--- /dev/null
+From foo@baz Fri Jan 4 20:01:52 CET 2019
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+Date: Thu, 27 Dec 2018 18:55:09 -0800
+Subject: sock: Make sock->sk_stamp thread-safe
+
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+
+[ Upstream commit 3a0ed3e9619738067214871e9cb826fa23b2ddb9 ]
+
+Al Viro mentioned (Message-ID
+<20170626041334.GZ10672@ZenIV.linux.org.uk>)
+that there is probably a race condition
+lurking in accesses of sk_stamp on 32-bit machines.
+
+sock->sk_stamp is of type ktime_t which is always an s64.
+On a 32 bit architecture, we might run into situations of
+unsafe access as the access to the field becomes non atomic.
+
+Use seqlocks for synchronization.
+This allows us to avoid using spinlocks for readers as
+readers do not need mutual exclusion.
+
+Another approach to solve this is to require sk_lock for all
+modifications of the timestamps. The current approach allows
+for timestamps to have their own lock: sk_stamp_lock.
+This allows for the patch to not compete with already
+existing critical sections, and side effects are limited
+to the paths in the patch.
+
+The addition of the new field maintains the data locality
+optimizations from
+commit 9115e8cd2a0c ("net: reorganize struct sock for better data
+locality")
+
+Note that all the instances of the sk_stamp accesses
+are either through the ioctl or the syscall recvmsg.
+
+Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 36 ++++++++++++++++++++++++++++++++++--
+ net/compat.c | 15 +++++++++------
+ net/core/sock.c | 3 +++
+ net/sunrpc/svcsock.c | 2 +-
+ 4 files changed, 47 insertions(+), 9 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -284,6 +284,7 @@ struct sock_common {
+ * @sk_filter: socket filtering instructions
+ * @sk_timer: sock cleanup timer
+ * @sk_stamp: time stamp of last packet received
++ * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
+ * @sk_tsflags: SO_TIMESTAMPING socket options
+ * @sk_tskey: counter to disambiguate concurrent tstamp requests
+ * @sk_socket: Identd and reporting IO signals
+@@ -425,6 +426,9 @@ struct sock {
+ long sk_sndtimeo;
+ struct timer_list sk_timer;
+ ktime_t sk_stamp;
++#if BITS_PER_LONG==32
++ seqlock_t sk_stamp_seq;
++#endif
+ u16 sk_tsflags;
+ u8 sk_shutdown;
+ u32 sk_tskey;
+@@ -2114,6 +2118,34 @@ static inline void sk_drops_add(struct s
+ atomic_add(segs, &sk->sk_drops);
+ }
+
++static inline ktime_t sock_read_timestamp(struct sock *sk)
++{
++#if BITS_PER_LONG==32
++ unsigned int seq;
++ ktime_t kt;
++
++ do {
++ seq = read_seqbegin(&sk->sk_stamp_seq);
++ kt = sk->sk_stamp;
++ } while (read_seqretry(&sk->sk_stamp_seq, seq));
++
++ return kt;
++#else
++ return sk->sk_stamp;
++#endif
++}
++
++static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
++{
++#if BITS_PER_LONG==32
++ write_seqlock(&sk->sk_stamp_seq);
++ sk->sk_stamp = kt;
++ write_sequnlock(&sk->sk_stamp_seq);
++#else
++ sk->sk_stamp = kt;
++#endif
++}
++
+ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+ struct sk_buff *skb);
+ void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
+@@ -2138,7 +2170,7 @@ sock_recv_timestamp(struct msghdr *msg,
+ (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
+ __sock_recv_timestamp(msg, sk, skb);
+ else
+- sk->sk_stamp = kt;
++ sock_write_timestamp(sk, kt);
+
+ if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
+ __sock_recv_wifi_status(msg, sk, skb);
+@@ -2158,7 +2190,7 @@ static inline void sock_recv_ts_and_drop
+ if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
+ __sock_recv_ts_and_drops(msg, sk, skb);
+ else
+- sk->sk_stamp = skb->tstamp;
++ sock_write_timestamp(sk, skb->tstamp);
+ }
+
+ void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags);
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -457,12 +457,14 @@ int compat_sock_get_timestamp(struct soc
+ err = -ENOENT;
+ if (!sock_flag(sk, SOCK_TIMESTAMP))
+ sock_enable_timestamp(sk, SOCK_TIMESTAMP);
+- tv = ktime_to_timeval(sk->sk_stamp);
++ tv = ktime_to_timeval(sock_read_timestamp(sk));
++
+ if (tv.tv_sec == -1)
+ return err;
+ if (tv.tv_sec == 0) {
+- sk->sk_stamp = ktime_get_real();
+- tv = ktime_to_timeval(sk->sk_stamp);
++ ktime_t kt = ktime_get_real();
++ sock_write_timestamp(sk, kt);
++ tv = ktime_to_timeval(kt);
+ }
+ err = 0;
+ if (put_user(tv.tv_sec, &ctv->tv_sec) ||
+@@ -485,12 +487,13 @@ int compat_sock_get_timestampns(struct s
+ err = -ENOENT;
+ if (!sock_flag(sk, SOCK_TIMESTAMP))
+ sock_enable_timestamp(sk, SOCK_TIMESTAMP);
+- ts = ktime_to_timespec(sk->sk_stamp);
++ ts = ktime_to_timespec(sock_read_timestamp(sk));
+ if (ts.tv_sec == -1)
+ return err;
+ if (ts.tv_sec == 0) {
+- sk->sk_stamp = ktime_get_real();
+- ts = ktime_to_timespec(sk->sk_stamp);
++ ktime_t kt = ktime_get_real();
++ sock_write_timestamp(sk, kt);
++ ts = ktime_to_timespec(kt);
+ }
+ err = 0;
+ if (put_user(ts.tv_sec, &ctv->tv_sec) ||
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2467,6 +2467,9 @@ void sock_init_data(struct socket *sock,
+ sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+
+ sk->sk_stamp = ktime_set(-1L, 0);
++#if BITS_PER_LONG==32
++ seqlock_init(&sk->sk_stamp_seq);
++#endif
+
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ sk->sk_napi_id = 0;
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -572,7 +572,7 @@ static int svc_udp_recvfrom(struct svc_r
+ /* Don't enable netstamp, sunrpc doesn't
+ need that much accuracy */
+ }
+- svsk->sk_sk->sk_stamp = skb->tstamp;
++ sock_write_timestamp(svsk->sk_sk, skb->tstamp);
+ set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
+
+ len = skb->len;
--- /dev/null
+From foo@baz Fri Jan 4 20:01:52 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 10 Dec 2018 15:23:30 -0800
+Subject: tipc: compare remote and local protocols in tipc_udp_enable()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit fb83ed496b9a654f60cd1d58a0e1e79ec5694808 ]
+
+When TIPC_NLA_UDP_REMOTE is an IPv6 mcast address but
+TIPC_NLA_UDP_LOCAL is an IPv4 address, a NULL-ptr deref is triggered
+as the UDP tunnel sock is initialized to IPv4 or IPv6 sock merely
+based on the protocol in local address.
+
+We should just error out when the remote address and local address
+have different protocols.
+
+Reported-by: syzbot+eb4da3a20fad2e52555d@syzkaller.appspotmail.com
+Cc: Ying Xue <ying.xue@windriver.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/udp_media.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -674,6 +674,11 @@ static int tipc_udp_enable(struct net *n
+ if (err)
+ goto err;
+
++ if (remote.proto != local.proto) {
++ err = -EINVAL;
++ goto err;
++ }
++
+ b->bcast_addr.media_id = TIPC_MEDIA_TYPE_UDP;
+ b->bcast_addr.broadcast = 1;
+ rcu_assign_pointer(b->media_ptr, ub);
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 10 Dec 2018 12:45:45 -0800
+Subject: tipc: fix a double kfree_skb()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit acb4a33e9856d5fa3384b87d3d8369229be06d31 ]
+
+tipc_udp_xmit() drops the packet on error, there is no
+need to drop it again.
+
+Fixes: ef20cd4dd163 ("tipc: introduce UDP replicast")
+Reported-and-tested-by: syzbot+eae585ba2cc2752d3704@syzkaller.appspotmail.com
+Cc: Ying Xue <ying.xue@windriver.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/udp_media.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -243,10 +243,8 @@ static int tipc_udp_send_msg(struct net
+ }
+
+ err = tipc_udp_xmit(net, _skb, ub, src, &rcast->addr);
+- if (err) {
+- kfree_skb(_skb);
++ if (err)
+ goto out;
+- }
+ }
+ err = 0;
+ out:
--- /dev/null
+From foo@baz Fri Jan 4 20:01:52 CET 2019
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 10 Dec 2018 11:49:55 -0800
+Subject: tipc: use lock_sock() in tipc_sk_reinit()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 15ef70e286176165d28b0b8a969b422561a68dfc ]
+
+lock_sock() must be used in process context to be race-free with
+other lock_sock() callers, for example, tipc_release(). Otherwise
+using the spinlock directly can't serialize a parallel tipc_release().
+
+As it is blocking, we have to hold the sock refcnt before
+rhashtable_walk_stop() and release it after rhashtable_walk_start().
+
+Fixes: 07f6c4bc048a ("tipc: convert tipc reference table to use generic rhashtable")
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2281,11 +2281,15 @@ void tipc_sk_reinit(struct net *net)
+ goto walk_stop;
+
+ while ((tsk = rhashtable_walk_next(&iter)) && !IS_ERR(tsk)) {
+- spin_lock_bh(&tsk->sk.sk_lock.slock);
++ sock_hold(&tsk->sk);
++ rhashtable_walk_stop(&iter);
++ lock_sock(&tsk->sk);
+ msg = &tsk->phdr;
+ msg_set_prevnode(msg, tn->own_addr);
+ msg_set_orignode(msg, tn->own_addr);
+- spin_unlock_bh(&tsk->sk.sk_lock.slock);
++ release_sock(&tsk->sk);
++ rhashtable_walk_start(&iter);
++ sock_put(&tsk->sk);
+ }
+ walk_stop:
+ rhashtable_walk_stop(&iter);
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 13 Dec 2018 10:53:37 +0800
+Subject: vhost: make sure used idx is seen before log in vhost_add_used_n()
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 841df922417eb82c835e93d4b93eb6a68c99d599 ]
+
+We miss a write barrier that guarantees used idx is updated and seen
+before log. This will let userspace sync and copy used ring before
+used idx is update. Fix this by adding a barrier before log_write().
+
+Fixes: 8dd014adfea6f ("vhost-net: mergeable buffers support")
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2145,6 +2145,8 @@ int vhost_add_used_n(struct vhost_virtqu
+ return -EFAULT;
+ }
+ if (unlikely(vq->log_used)) {
++ /* Make sure used idx is seen before log. */
++ smp_wmb();
+ /* Log used index update. */
+ log_write(vq->log_base,
+ vq->log_addr + offsetof(struct vring_used, idx),
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Jorgen Hansen <jhansen@vmware.com>
+Date: Tue, 18 Dec 2018 00:34:06 -0800
+Subject: VSOCK: Send reset control packet when socket is partially bound
+
+From: Jorgen Hansen <jhansen@vmware.com>
+
+[ Upstream commit a915b982d8f5e4295f64b8dd37ce753874867e88 ]
+
+If a server side socket is bound to an address, but not in the listening
+state yet, incoming connection requests should receive a reset control
+packet in response. However, the function used to send the reset
+silently drops the reset packet if the sending socket isn't bound
+to a remote address (as is the case for a bound socket not yet in
+the listening state). This change fixes this by using the src
+of the incoming packet as destination for the reset packet in
+this case.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Adit Ranadive <aditr@vmware.com>
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Signed-off-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vmci_transport.c | 67 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 50 insertions(+), 17 deletions(-)
+
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -273,6 +273,31 @@ vmci_transport_send_control_pkt_bh(struc
+ }
+
+ static int
++vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src,
++ struct sockaddr_vm *dst,
++ enum vmci_transport_packet_type type,
++ u64 size,
++ u64 mode,
++ struct vmci_transport_waiting_info *wait,
++ u16 proto,
++ struct vmci_handle handle)
++{
++ struct vmci_transport_packet *pkt;
++ int err;
++
++ pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
++ if (!pkt)
++ return -ENOMEM;
++
++ err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size,
++ mode, wait, proto, handle,
++ true);
++ kfree(pkt);
++
++ return err;
++}
++
++static int
+ vmci_transport_send_control_pkt(struct sock *sk,
+ enum vmci_transport_packet_type type,
+ u64 size,
+@@ -281,9 +306,7 @@ vmci_transport_send_control_pkt(struct s
+ u16 proto,
+ struct vmci_handle handle)
+ {
+- struct vmci_transport_packet *pkt;
+ struct vsock_sock *vsk;
+- int err;
+
+ vsk = vsock_sk(sk);
+
+@@ -293,17 +316,10 @@ vmci_transport_send_control_pkt(struct s
+ if (!vsock_addr_bound(&vsk->remote_addr))
+ return -EINVAL;
+
+- pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
+- if (!pkt)
+- return -ENOMEM;
+-
+- err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr,
+- &vsk->remote_addr, type, size,
+- mode, wait, proto, handle,
+- true);
+- kfree(pkt);
+-
+- return err;
++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr,
++ &vsk->remote_addr,
++ type, size, mode,
++ wait, proto, handle);
+ }
+
+ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
+@@ -321,12 +337,29 @@ static int vmci_transport_send_reset_bh(
+ static int vmci_transport_send_reset(struct sock *sk,
+ struct vmci_transport_packet *pkt)
+ {
++ struct sockaddr_vm *dst_ptr;
++ struct sockaddr_vm dst;
++ struct vsock_sock *vsk;
++
+ if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST)
+ return 0;
+- return vmci_transport_send_control_pkt(sk,
+- VMCI_TRANSPORT_PACKET_TYPE_RST,
+- 0, 0, NULL, VSOCK_PROTO_INVALID,
+- VMCI_INVALID_HANDLE);
++
++ vsk = vsock_sk(sk);
++
++ if (!vsock_addr_bound(&vsk->local_addr))
++ return -EINVAL;
++
++ if (vsock_addr_bound(&vsk->remote_addr)) {
++ dst_ptr = &vsk->remote_addr;
++ } else {
++ vsock_addr_init(&dst, pkt->dg.src.context,
++ pkt->src_port);
++ dst_ptr = &dst;
++ }
++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr,
++ VMCI_TRANSPORT_PACKET_TYPE_RST,
++ 0, 0, NULL, VSOCK_PROTO_INVALID,
++ VMCI_INVALID_HANDLE);
+ }
+
+ static int vmci_transport_send_negotiate(struct sock *sk, size_t size)
--- /dev/null
+From foo@baz Fri Jan 4 20:27:35 CET 2019
+From: Juergen Gross <jgross@suse.com>
+Date: Tue, 18 Dec 2018 16:06:19 +0100
+Subject: xen/netfront: tolerate frags with no data
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit d81c5054a5d1d4999c7cdead7636b6cd4af83d36 ]
+
+At least old Xen net backends seem to send frags with no real data
+sometimes. In case such a fragment happens to occur with the frag limit
+already reached the frontend will BUG currently even if this situation
+is easily recoverable.
+
+Modify the BUG_ON() condition accordingly.
+
+Tested-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -903,7 +903,7 @@ static RING_IDX xennet_fill_frags(struct
+ if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
+ unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+
+- BUG_ON(pull_to <= skb_headlen(skb));
++ BUG_ON(pull_to < skb_headlen(skb));
+ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ }
+ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
