Home Home > GIT Browse > vanilla
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-05-02 17:14:24 +0200
committerTakashi Iwai <tiwai@suse.de>2019-05-02 17:14:24 +0200
commit8f8724d6a6a4d25b2a08ab7a132e5df1b6d0e718 (patch)
treec00379028081cb8caa853c9c596fe862133d7980
parente24913c87b3086af21cb95df6065ed30f78fc553 (diff)
parent99361c7b3678f3172e076d617179d39e51ac0ddf (diff)
Merge branch 'users/dkirjanov/SLE15/for-next' into SLE15
Pull net fixes from Denis Kirjanov
-rw-r--r--patches.fixes/0001-net-Fix-untag-for-vlan-packets-without-ethernet-head.patch100
-rw-r--r--patches.fixes/0001-rds-tcp-atomically-purge-entries-from-rds_tcp_conn_l.patch75
-rw-r--r--patches.fixes/0002-netfilter-ipset-Missing-nfnl_lock-nfnl_unlock-is-add.patch41
-rw-r--r--patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch46
-rw-r--r--patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch53
-rw-r--r--patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch37
-rw-r--r--patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch46
-rw-r--r--patches.fixes/0007-xfrm-Fix-ESN-sequence-number-handling-for-IPsec-GSO-.patch36
-rw-r--r--patches.fixes/0008-xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-NULL.patch43
-rw-r--r--patches.fixes/0009-net-xfrm-use-preempt-safe-this_cpu_read-in-ipcomp_al.patch97
-rw-r--r--patches.fixes/0010-net-Fix-vlan-untag-for-bridge-and-vlan_dev-with-reor.patch124
-rw-r--r--patches.fixes/0011-xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch37
-rw-r--r--patches.fixes/0012-rxrpc-Fix-Tx-ring-annotation-after-initial-Tx-failur.patch42
-rw-r--r--patches.fixes/0013-rxrpc-Don-t-treat-call-aborts-as-conn-aborts.patch60
-rw-r--r--patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch51
-rw-r--r--series.conf15
16 files changed, 903 insertions, 0 deletions
diff --git a/patches.fixes/0001-net-Fix-untag-for-vlan-packets-without-ethernet-head.patch b/patches.fixes/0001-net-Fix-untag-for-vlan-packets-without-ethernet-head.patch
new file mode 100644
index 0000000000..32d91a1a93
--- /dev/null
+++ b/patches.fixes/0001-net-Fix-untag-for-vlan-packets-without-ethernet-head.patch
@@ -0,0 +1,100 @@
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Subject: net: Fix untag for vlan packets without ethernet header
+Patch-mainline: v4.16
+Git-commit: ae4745730cf8e693d354ccd4dbaf59ea440c09a9
+References: git-fixes
+
+In some situation vlan packets do not have ethernet headers. One example
+is packets from tun devices. Users can specify vlan protocol in tun_pi
+field instead of IP protocol, and skb_vlan_untag() attempts to untag such
+packets.
+
+skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it)
+however did not expect packets without ethernet headers, so in such a case
+size argument for memmove() underflowed and triggered crash.
+
+====
+BUG: unable to handle kernel paging request at ffff8801cccb8000
+IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
+PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101
+Oops: 000b [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
+RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287
+RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2
+RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000
+RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899
+R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4
+R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40
+FS: 00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0
+DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
+Call Trace:
+ memmove include/linux/string.h:360 [inline]
+ skb_reorder_vlan_header net/core/skbuff.c:5031 [inline]
+ skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061
+ __netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460
+ __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
+ netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701
+ netif_receive_skb+0xae/0x390 net/core/dev.c:4725
+ tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555
+ tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962
+ tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990
+ call_write_iter include/linux/fs.h:1782 [inline]
+ new_sync_write fs/read_write.c:469 [inline]
+ __vfs_write+0x684/0x970 fs/read_write.c:482
+ vfs_write+0x189/0x510 fs/read_write.c:544
+ SYSC_write fs/read_write.c:589 [inline]
+ SyS_write+0xef/0x220 fs/read_write.c:581
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x454879
+RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879
+RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014
+RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000
+Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 <f3> a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20
+RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28
+CR2: ffff8801cccb8000
+====
+
+We don't need to copy headers for packets which do not have preceding
+headers of vlan headers, so skip memmove() in that case.
+
+Fixes: 4bbb3e0e8239 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off")
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/skbuff.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 1e7acdc30732..857e4e6f751a 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5028,8 +5028,10 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
+ }
+
+ mac_len = skb->data - skb_mac_header(skb);
+- memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+- mac_len - VLAN_HLEN - ETH_TLEN);
++ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
++ mac_len - VLAN_HLEN - ETH_TLEN);
++ }
+ skb->mac_header += VLAN_HLEN;
+ return skb;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0001-rds-tcp-atomically-purge-entries-from-rds_tcp_conn_l.patch b/patches.fixes/0001-rds-tcp-atomically-purge-entries-from-rds_tcp_conn_l.patch
new file mode 100644
index 0000000000..e5c6510ad4
--- /dev/null
+++ b/patches.fixes/0001-rds-tcp-atomically-purge-entries-from-rds_tcp_conn_l.patch
@@ -0,0 +1,75 @@
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Subject: rds: tcp: atomically purge entries from
+ rds_tcp_conn_list during netns delete
+Patch-mainline: v4.16-rc1
+Git-commit: f10b4cff98c6977668434fbf5dd58695eeca2897
+References: git-fixes
+
+The rds_tcp_kill_sock() function parses the rds_tcp_conn_list
+to find the rds_connection entries marked for deletion as part
+of the netns deletion under the protection of the rds_tcp_conn_lock.
+Since the rds_tcp_conn_list tracks rds_tcp_connections (which
+have a 1:1 mapping with rds_conn_path), multiple tc entries in
+the rds_tcp_conn_list will map to a single rds_connection, and will
+be deleted as part of the rds_conn_destroy() operation that is
+done outside the rds_tcp_conn_lock.
+
+The rds_tcp_conn_list traversal done under the protection of
+rds_tcp_conn_lock should not leave any doomed tc entries in
+the list after the rds_tcp_conn_lock is released, else another
+concurrently executiong netns delete (for a differnt netns) thread
+may trip on these entries.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rds/tcp.c | 9 +++++++--
+ net/rds/tcp.h | 1 +
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/rds/tcp.c b/net/rds/tcp.c
+index ad0eaab53da0..b598c81aef69 100644
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -306,7 +306,8 @@ static void rds_tcp_conn_free(void *arg)
+ rdsdebug("freeing tc %p\n", tc);
+
+ spin_lock_irqsave(&rds_tcp_conn_lock, flags);
+- list_del(&tc->t_tcp_node);
++ if (!tc->t_tcp_node_detached)
++ list_del(&tc->t_tcp_node);
+ spin_unlock_irqrestore(&rds_tcp_conn_lock, flags);
+
+ kmem_cache_free(rds_tcp_conn_slab, tc);
+@@ -510,8 +511,12 @@ static void rds_tcp_kill_sock(struct net *net)
+
+ if (net != c_net || !tc->t_sock)
+ continue;
+- if (!list_has_conn(&tmp_list, tc->t_cpath->cp_conn))
++ if (!list_has_conn(&tmp_list, tc->t_cpath->cp_conn)) {
+ list_move_tail(&tc->t_tcp_node, &tmp_list);
++ } else {
++ list_del(&tc->t_tcp_node);
++ tc->t_tcp_node_detached = true;
++ }
+ }
+ spin_unlock_irq(&rds_tcp_conn_lock);
+ list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node)
+diff --git a/net/rds/tcp.h b/net/rds/tcp.h
+index f8800b7ce79c..87753497fd4f 100644
+--- a/net/rds/tcp.h
++++ b/net/rds/tcp.h
+@@ -11,6 +11,7 @@ struct rds_tcp_incoming {
+ struct rds_tcp_connection {
+
+ struct list_head t_tcp_node;
++ bool t_tcp_node_detached;
+ struct rds_conn_path *t_cpath;
+ /* t_conn_path_lock synchronizes the connection establishment between
+ * rds_tcp_accept_one and rds_tcp_conn_path_connect
+--
+2.12.3
+
diff --git a/patches.fixes/0002-netfilter-ipset-Missing-nfnl_lock-nfnl_unlock-is-add.patch b/patches.fixes/0002-netfilter-ipset-Missing-nfnl_lock-nfnl_unlock-is-add.patch
new file mode 100644
index 0000000000..93de22bb68
--- /dev/null
+++ b/patches.fixes/0002-netfilter-ipset-Missing-nfnl_lock-nfnl_unlock-is-add.patch
@@ -0,0 +1,41 @@
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Subject: netfilter: ipset: Missing nfnl_lock()/nfnl_unlock() is
+ added to ip_set_net_exit()
+Patch-mainline: v4.16-rc1
+Git-commit: f998b6b10144cd9809da6af02758615f789e8aa1
+References: git-fixes
+
+Patch "netfilter: ipset: use nfnl_mutex_is_locked" is added the real
+mutex locking check, which revealed the missing locking in ip_set_net_exit().
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Reported-by: syzbot+36b06f219f2439fe62e1@syzkaller.appspotmail.com
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipset/ip_set_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 37345feb43fc..74304b44b8c5 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -2039,6 +2039,7 @@ ip_set_net_exit(struct net *net)
+
+ inst->is_deleted = true; /* flag for ip_set_nfnl_put */
+
++ nfnl_lock(NFNL_SUBSYS_IPSET);
+ for (i = 0; i < inst->ip_set_max; i++) {
+ set = ip_set(inst, i);
+ if (set) {
+@@ -2046,6 +2047,7 @@ ip_set_net_exit(struct net *net)
+ ip_set_destroy_set(set);
+ }
+ }
++ nfnl_unlock(NFNL_SUBSYS_IPSET);
+ kfree(rcu_dereference_protected(inst->ip_set_list, 1));
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch b/patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch
new file mode 100644
index 0000000000..687fe52749
--- /dev/null
+++ b/patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch
@@ -0,0 +1,46 @@
+From: Dmitry Vyukov <dvyukov@google.com>
+Subject: netfilter: x_tables: fix int overflow in
+ xt_alloc_table_info()
+Patch-mainline: v4.16-rc1
+Git-commit: 889c604fd0b5f6d3b8694ade229ee44124de1127
+References: git-fixes
+
+syzkaller triggered OOM kills by passing ipt_replace.size = -1
+to IPT_SO_SET_REPLACE. The root cause is that SMP_ALIGN() in
+xt_alloc_table_info() causes int overflow and the size check passes
+when it should not. SMP_ALIGN() is no longer needed leftover.
+
+Remove SMP_ALIGN() call in xt_alloc_table_info().
+
+Reported-by: syzbot+4396883fa8c4f64e0175@syzkaller.appspotmail.com
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/x_tables.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index 2d1d580cf9d0..ed01d01e6871 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -39,7 +39,6 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+ MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
+
+-#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
+ #define XT_PCPU_BLOCK_SIZE 4096
+
+ struct compat_delta {
+@@ -1000,7 +999,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
+ return NULL;
+
+ /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
+- if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
++ if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
+ return NULL;
+
+ if (sz <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
+--
+2.12.3
+
diff --git a/patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch b/patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch
new file mode 100644
index 0000000000..5d374acf3a
--- /dev/null
+++ b/patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch
@@ -0,0 +1,53 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: netfilter: x_tables: avoid out-of-bounds reads in
+ xt_request_find_{match|target}
+Patch-mainline: v4.16-rc1
+Git-commit: da17c73b6eb74aad3c3c0654394635675b623b3e
+References: git-fixes
+
+It looks like syzbot found its way into netfilter territory.
+
+Issue here is that @name comes from user space and might
+not be null terminated.
+
+Out-of-bound reads happen, KASAN is not happy.
+
+v2 added similar fix for xt_request_find_target(),
+as Florian advised.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/x_tables.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index ed01d01e6871..32fe10a98fae 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -209,6 +209,9 @@ xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
+ {
+ struct xt_match *match;
+
++ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
++ return ERR_PTR(-EINVAL);
++
+ match = xt_find_match(nfproto, name, revision);
+ if (IS_ERR(match)) {
+ request_module("%st_%s", xt_prefix[nfproto], name);
+@@ -251,6 +254,9 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
+ {
+ struct xt_target *target;
+
++ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
++ return ERR_PTR(-EINVAL);
++
+ target = xt_find_target(af, name, revision);
+ if (IS_ERR(target)) {
+ request_module("%st_%s", xt_prefix[af], name);
+--
+2.12.3
+
diff --git a/patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch b/patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch
new file mode 100644
index 0000000000..84946a824a
--- /dev/null
+++ b/patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch
@@ -0,0 +1,37 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: ipv6: fix use-after-free Write in
+ nf_nat_ipv6_manip_pkt
+Patch-mainline: v4.16-rc5
+Git-commit: b078556aecd791b0e5cb3a59f4c3a14273b52121
+References: git-fixes
+
+l4proto->manip_pkt() can cause reallocation of skb head so pointer
+to the ipv6 header must be reloaded.
+
+Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
+Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+index b2b4f031b3a1..df48f83d6795 100644
+--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
+ !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
+ target, maniptype))
+ return false;
++
++ /* must reload, offset might have changed */
++ ipv6h = (void *)skb->data + iphdroff;
++
+ manip_addr:
+ if (maniptype == NF_NAT_MANIP_SRC)
+ ipv6h->saddr = target->src.u3.in6;
+--
+2.12.3
+
diff --git a/patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch b/patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch
new file mode 100644
index 0000000000..21b951e589
--- /dev/null
+++ b/patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch
@@ -0,0 +1,46 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: remove IPS_NAT_MASK check to fix passive FTP
+Patch-mainline: v4.16-rc5
+Git-commit: 8a949fff0302b50063f74bb345a66190015528d0
+References: git-fixes
+
+The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat()
+which was needed to fix a crash in 2.6.36-rc, see
+commit 7bcbf81a2296 ("ipvs: avoid oops for passive FTP").
+But as IPVS does not set the IPS_SRC_NAT and IPS_DST_NAT bits,
+checking for IPS_NAT_MASK prevents PASV response to be properly
+mangled and blocks the transfer. Remove the check as it is not
+needed after 3.12 commit 41d73ec053d2 ("netfilter: nf_conntrack:
+make sequence number adjustments usuable without NAT") which
+changes nfct_nat() with nfct_seqadj() and especially after 3.13
+commit b25adce16064 ("ipvs: correct usage/allocation of seqadj
+ext in ipvs").
+
+Thanks to Li Shuang and Florian Westphal for reporting the problem!
+
+Reported-by: Li Shuang <shuali@redhat.com>
+Fixes: be7be6e161a2 ("netfilter: ipvs: fix incorrect conflict resolution")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
+index fb780be76d15..e273c59dfcba 100644
+--- a/net/netfilter/ipvs/ip_vs_ftp.c
++++ b/net/netfilter/ipvs/ip_vs_ftp.c
+@@ -260,7 +260,7 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
+ buf_len = strlen(buf);
+
+ ct = nf_ct_get(skb, &ctinfo);
+- if (ct && (ct->status & IPS_NAT_MASK)) {
++ if (ct) {
+ bool mangled;
+
+ /* If mangling fails this function will return 0
+--
+2.12.3
+
diff --git a/patches.fixes/0007-xfrm-Fix-ESN-sequence-number-handling-for-IPsec-GSO-.patch b/patches.fixes/0007-xfrm-Fix-ESN-sequence-number-handling-for-IPsec-GSO-.patch
new file mode 100644
index 0000000000..09b3667868
--- /dev/null
+++ b/patches.fixes/0007-xfrm-Fix-ESN-sequence-number-handling-for-IPsec-GSO-.patch
@@ -0,0 +1,36 @@
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Subject: xfrm: Fix ESN sequence number handling for IPsec GSO
+ packets.
+Patch-mainline: v4.16-rc7
+Git-commit: b8b549eec8187ac1b12075d69a2d84d89b5e811a
+References: git-fixes
+
+When IPsec offloading was introduced, we accidentally incremented
+the sequence number counter on the xfrm_state by one packet
+too much in the ESN case. This leads to a sequence number gap of
+one packet after each GSO packet. Fix this by setting the sequence
+number to the correct value.
+
+Fixes: d7dbefc45cf5 ("xfrm: Add xfrm_replay_overflow functions for offloading")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_replay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
+index 02501817227b..bdb9b5121ba8 100644
+--- a/net/xfrm/xfrm_replay.c
++++ b/net/xfrm/xfrm_replay.c
+@@ -658,7 +658,7 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff
+ } else {
+ XFRM_SKB_CB(skb)->seq.output.low = oseq + 1;
+ XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi;
+- xo->seq.low = oseq = oseq + 1;
++ xo->seq.low = oseq + 1;
+ xo->seq.hi = oseq_hi;
+ oseq += skb_shinfo(skb)->gso_segs;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0008-xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-NULL.patch b/patches.fixes/0008-xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-NULL.patch
new file mode 100644
index 0000000000..315aff42cd
--- /dev/null
+++ b/patches.fixes/0008-xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-NULL.patch
@@ -0,0 +1,43 @@
+From: Xin Long <lucien.xin@gmail.com>
+Subject: xfrm: do not call rcu_read_unlock when afinfo is NULL
+ in xfrm_get_tos
+Patch-mainline: v4.16-rc7
+Git-commit: 143a4454daaf0e80a2b9f37159a0d6d2b61e64ed
+References: git-fixes
+
+When xfrm_policy_get_afinfo returns NULL, it will not hold rcu
+read lock. In this case, rcu_read_unlock should not be called
+in xfrm_get_tos, just like other places where it's calling
+xfrm_policy_get_afinfo.
+
+Fixes: f5e2bb4f5b22 ("xfrm: policy: xfrm_get_tos cannot fail")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_policy.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 2f16ab3ecc88..70ed1f452941 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1536,10 +1536,13 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
+ static int xfrm_get_tos(const struct flowi *fl, int family)
+ {
+ const struct xfrm_policy_afinfo *afinfo;
+- int tos = 0;
++ int tos;
+
+ afinfo = xfrm_policy_get_afinfo(family);
+- tos = afinfo ? afinfo->get_tos(fl) : 0;
++ if (!afinfo)
++ return 0;
++
++ tos = afinfo->get_tos(fl);
+
+ rcu_read_unlock();
+
+--
+2.12.3
+
diff --git a/patches.fixes/0009-net-xfrm-use-preempt-safe-this_cpu_read-in-ipcomp_al.patch b/patches.fixes/0009-net-xfrm-use-preempt-safe-this_cpu_read-in-ipcomp_al.patch
new file mode 100644
index 0000000000..839ae9fa19
--- /dev/null
+++ b/patches.fixes/0009-net-xfrm-use-preempt-safe-this_cpu_read-in-ipcomp_al.patch
@@ -0,0 +1,97 @@
+From: Greg Hackmann <ghackmann@google.com>
+Subject: net: xfrm: use preempt-safe this_cpu_read() in
+ ipcomp_alloc_tfms()
+Patch-mainline: v4.16-rc7
+Git-commit: 0dcd7876029b58770f769cbb7b484e88e4a305e5
+References: git-fixes
+
+f7c83bcbfaf5 ("net: xfrm: use __this_cpu_read per-cpu helper") added a
+__this_cpu_read() call inside ipcomp_alloc_tfms().
+
+At the time, __this_cpu_read() required the caller to either not care
+about races or to handle preemption/interrupt issues. 3.15 tightened
+the rules around some per-cpu operations, and now __this_cpu_read()
+should never be used in a preemptible context. On 3.15 and later, we
+need to use this_cpu_read() instead.
+
+syzkaller reported this leading to the following kernel BUG while
+fuzzing sendmsg:
+
+BUG: using __this_cpu_read() in preemptible [00000000] code: repro/3101
+caller is ipcomp_init_state+0x185/0x990
+CPU: 3 PID: 3101 Comm: repro Not tainted 4.16.0-rc4-00123-g86f84779d8e9 #154
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+Call Trace:
+ dump_stack+0xb9/0x115
+ check_preemption_disabled+0x1cb/0x1f0
+ ipcomp_init_state+0x185/0x990
+ ? __xfrm_init_state+0x876/0xc20
+ ? lock_downgrade+0x5e0/0x5e0
+ ipcomp4_init_state+0xaa/0x7c0
+ __xfrm_init_state+0x3eb/0xc20
+ xfrm_init_state+0x19/0x60
+ pfkey_add+0x20df/0x36f0
+ ? pfkey_broadcast+0x3dd/0x600
+ ? pfkey_sock_destruct+0x340/0x340
+ ? pfkey_seq_stop+0x80/0x80
+ ? __skb_clone+0x236/0x750
+ ? kmem_cache_alloc+0x1f6/0x260
+ ? pfkey_sock_destruct+0x340/0x340
+ ? pfkey_process+0x62a/0x6f0
+ pfkey_process+0x62a/0x6f0
+ ? pfkey_send_new_mapping+0x11c0/0x11c0
+ ? mutex_lock_io_nested+0x1390/0x1390
+ pfkey_sendmsg+0x383/0x750
+ ? dump_sp+0x430/0x430
+ sock_sendmsg+0xc0/0x100
+ ___sys_sendmsg+0x6c8/0x8b0
+ ? copy_msghdr_from_user+0x3b0/0x3b0
+ ? pagevec_lru_move_fn+0x144/0x1f0
+ ? find_held_lock+0x32/0x1c0
+ ? do_huge_pmd_anonymous_page+0xc43/0x11e0
+ ? lock_downgrade+0x5e0/0x5e0
+ ? get_kernel_page+0xb0/0xb0
+ ? _raw_spin_unlock+0x29/0x40
+ ? do_huge_pmd_anonymous_page+0x400/0x11e0
+ ? __handle_mm_fault+0x553/0x2460
+ ? __fget_light+0x163/0x1f0
+ ? __sys_sendmsg+0xc7/0x170
+ __sys_sendmsg+0xc7/0x170
+ ? SyS_shutdown+0x1a0/0x1a0
+ ? __do_page_fault+0x5a0/0xca0
+ ? lock_downgrade+0x5e0/0x5e0
+ SyS_sendmsg+0x27/0x40
+ ? __sys_sendmsg+0x170/0x170
+ do_syscall_64+0x19f/0x640
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x7f0ee73dfb79
+RSP: 002b:00007ffe14fc15a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0ee73dfb79
+RDX: 0000000000000000 RSI: 00000000208befc8 RDI: 0000000000000004
+RBP: 00007ffe14fc15b0 R08: 00007ffe14fc15c0 R09: 00007ffe14fc15c0
+R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000400440
+R13: 00007ffe14fc16b0 R14: 0000000000000000 R15: 0000000000000000
+
+Signed-off-by: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_ipcomp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
+index ccfdc7115a83..a00ec715aa46 100644
+--- a/net/xfrm/xfrm_ipcomp.c
++++ b/net/xfrm/xfrm_ipcomp.c
+@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu *ipcomp_alloc_tfms(const char *alg_name)
+ struct crypto_comp *tfm;
+
+ /* This can be any valid CPU ID so we don't need locking. */
+- tfm = __this_cpu_read(*pos->tfms);
++ tfm = this_cpu_read(*pos->tfms);
+
+ if (!strcmp(crypto_comp_name(tfm), alg_name)) {
+ pos->users++;
+--
+2.12.3
+
diff --git a/patches.fixes/0010-net-Fix-vlan-untag-for-bridge-and-vlan_dev-with-reor.patch b/patches.fixes/0010-net-Fix-vlan-untag-for-bridge-and-vlan_dev-with-reor.patch
new file mode 100644
index 0000000000..f28650adc1
--- /dev/null
+++ b/patches.fixes/0010-net-Fix-vlan-untag-for-bridge-and-vlan_dev-with-reor.patch
@@ -0,0 +1,124 @@
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Subject: net: Fix vlan untag for bridge and vlan_dev with
+ reorder_hdr off
+Patch-mainline: v4.16-rc7
+Git-commit: 4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61
+References: git-fixes
+
+When we have a bridge with vlan_filtering on and a vlan device on top of
+it, packets would be corrupted in skb_vlan_untag() called from
+br_dev_xmit().
+
+The problem sits in skb_reorder_vlan_header() used in skb_vlan_untag(),
+which makes use of skb->mac_len. In this function mac_len is meant for
+handling rx path with vlan devices with reorder_header disabled, but in
+tx path mac_len is typically 0 and cannot be used, which is the problem
+in this case.
+
+The current code even does not properly handle rx path (skb_vlan_untag()
+called from __netif_receive_skb_core()) with reorder_header off actually.
+
+In rx path single tag case, it works as follows:
+
+- Before skb_reorder_vlan_header()
+
+ mac_header data
+ v v
+ +-------------------+-------------+------+----
+ | ETH | VLAN | ETH |
+ | ADDRS | TPID | TCI | TYPE |
+ +-------------------+-------------+------+----
+ <-------- mac_len --------->
+ <------------->
+ to be removed
+
+- After skb_reorder_vlan_header()
+
+ mac_header data
+ v v
+ +-------------------+------+----
+ | ETH | ETH |
+ | ADDRS | TYPE |
+ +-------------------+------+----
+ <-------- mac_len --------->
+
+This is ok, but in rx double tag case, it corrupts packets:
+
+- Before skb_reorder_vlan_header()
+
+ mac_header data
+ v v
+ +-------------------+-------------+-------------+------+----
+ | ETH | VLAN | VLAN | ETH |
+ | ADDRS | TPID | TCI | TPID | TCI | TYPE |
+ +-------------------+-------------+-------------+------+----
+ <--------------- mac_len ---------------->
+ <------------->
+ should be removed
+ <--------------------------->
+ actually will be removed
+
+- After skb_reorder_vlan_header()
+
+ mac_header data
+ v v
+ +-------------------+------+----
+ | ETH | ETH |
+ | ADDRS | TYPE |
+ +-------------------+------+----
+ <--------------- mac_len ---------------->
+
+So, two of vlan tags are both removed while only inner one should be
+removed and mac_header (and mac_len) is broken.
+
+skb_vlan_untag() is meant for removing the vlan header at (skb->data - 2),
+so use skb->data and skb->mac_header to calculate the right offset.
+
+Reported-by: Brandon Carpenter <brandon.carpenter@cypherpath.com>
+Fixes: a6e18ff11170 ("vlan: Fix untag operations of stacked vlans with REORDER_HEADER off")
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ include/uapi/linux/if_ether.h | 1 +
+ net/core/skbuff.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h
+index 5bc9bfd816b7..8a1e06c2f6c5 100644
+--- a/include/uapi/linux/if_ether.h
++++ b/include/uapi/linux/if_ether.h
+@@ -29,6 +29,7 @@
+ */
+
+ #define ETH_ALEN 6 /* Octets in one ethernet addr */
++#define ETH_TLEN 2 /* Octets in ethernet type field */
+ #define ETH_HLEN 14 /* Total octets in header. */
+ #define ETH_ZLEN 60 /* Min. octets in frame sans FCS */
+ #define ETH_DATA_LEN 1500 /* Max. octets in payload */
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 8bb8cb4b4381..1997042119b4 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4564,13 +4564,16 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
+
+ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
+ {
++ int mac_len;
++
+ if (skb_cow(skb, skb_headroom(skb)) < 0) {
+ kfree_skb(skb);
+ return NULL;
+ }
+
+- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
+- 2 * ETH_ALEN);
++ mac_len = skb->data - skb_mac_header(skb);
++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
++ mac_len - VLAN_HLEN - ETH_TLEN);
+ skb->mac_header += VLAN_HLEN;
+ return skb;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0011-xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch b/patches.fixes/0011-xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch
new file mode 100644
index 0000000000..c369bdb3f2
--- /dev/null
+++ b/patches.fixes/0011-xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch
@@ -0,0 +1,37 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: xfrm: fix rcu_read_unlock usage in xfrm_local_error
+Patch-mainline: v4.16
+Git-commit: 46c0ef6e1eb95f619d9f62da4332749153db92f7
+References: git-fixes
+
+In the xfrm_local_error, rcu_read_unlock should be called when afinfo
+is not NULL. because xfrm_state_get_afinfo calls rcu_read_unlock
+if afinfo is NULL.
+
+Fixes: af5d27c4e12b ("xfrm: remove xfrm_state_put_afinfo")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_output.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 626424645030..ccd3d76891ab 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -282,8 +282,9 @@ void xfrm_local_error(struct sk_buff *skb, int mtu)
+ return;
+
+ afinfo = xfrm_state_get_afinfo(proto);
+- if (afinfo)
++ if (afinfo) {
+ afinfo->local_error(skb, mtu);
+- rcu_read_unlock();
++ rcu_read_unlock();
++ }
+ }
+ EXPORT_SYMBOL_GPL(xfrm_local_error);
+--
+2.12.3
+
diff --git a/patches.fixes/0012-rxrpc-Fix-Tx-ring-annotation-after-initial-Tx-failur.patch b/patches.fixes/0012-rxrpc-Fix-Tx-ring-annotation-after-initial-Tx-failur.patch
new file mode 100644
index 0000000000..55b2a29c24
--- /dev/null
+++ b/patches.fixes/0012-rxrpc-Fix-Tx-ring-annotation-after-initial-Tx-failur.patch
@@ -0,0 +1,42 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Fix Tx ring annotation after initial Tx failure
+Patch-mainline: v4.17-rc1
+Git-commit: 03877bf6a30cca7d4bc3ffabd3c3e9464a7a1a19
+References: git-fixes
+
+rxrpc calls have a ring of packets that are awaiting ACK or retransmission
+and a parallel ring of annotations that tracks the state of those packets.
+If the initial transmission of a packet on the underlying UDP socket fails
+then the packet annotation is marked for resend - but the setting of this
+mark accidentally erases the last-packet mark also stored in the same
+annotation slot. If this happens, a call won't switch out of the Tx phase
+when all the packets have been transmitted.
+
+Fix this by retaining the last-packet mark and only altering the packet
+state.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/sendmsg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
+index 439ebc24a597..301f73e7b111 100644
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -83,7 +83,9 @@ static inline void rxrpc_instant_resend(struct rxrpc_call *call, int ix)
+ spin_lock_bh(&call->lock);
+
+ if (call->state < RXRPC_CALL_COMPLETE) {
+- call->rxtx_annotations[ix] = RXRPC_TX_ANNO_RETRANS;
++ call->rxtx_annotations[ix] =
++ (call->rxtx_annotations[ix] & RXRPC_TX_ANNO_LAST) |
++ RXRPC_TX_ANNO_RETRANS;
+ if (!test_and_set_bit(RXRPC_CALL_EV_RESEND, &call->events))
+ rxrpc_queue_call(call);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0013-rxrpc-Don-t-treat-call-aborts-as-conn-aborts.patch b/patches.fixes/0013-rxrpc-Don-t-treat-call-aborts-as-conn-aborts.patch
new file mode 100644
index 0000000000..63b78cf985
--- /dev/null
+++ b/patches.fixes/0013-rxrpc-Don-t-treat-call-aborts-as-conn-aborts.patch
@@ -0,0 +1,60 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Don't treat call aborts as conn aborts
+Patch-mainline: v4.17-rc1
+Git-commit: 57b0c9d49b94bbeb53649b7fbd264603c1ebd585
+References: git-fixes
+
+If a call-level abort is received for the previous call to complete on a
+connection channel, then that abort is queued for the connection processor
+to handle. Unfortunately, the connection processor then assumes without
+checking that the abort is connection-level (ie. callNumber is 0) and
+distributes it over all active calls on that connection, thereby
+incorrectly aborting them.
+
+Fix this by discarding aborts aimed at a completed call.
+
+Further, discard all packets aimed at a call that's complete if there's
+currently an active call on a channel, since the DATA packets associated
+with the new call automatically terminate the old call.
+
+Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/input.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 45dba732a3b4..8d41f8b24abb 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -1168,16 +1168,19 @@ void rxrpc_data_ready(struct sock *udp_sk)
+ goto discard_unlock;
+
+ if (sp->hdr.callNumber == chan->last_call) {
+- /* For the previous service call, if completed successfully, we
+- * discard all further packets.
++ if (chan->call ||
++ sp->hdr.type == RXRPC_PACKET_TYPE_ABORT)
++ goto discard_unlock;
++
++ /* For the previous service call, if completed
++ * successfully, we discard all further packets.
+ */
+ if (rxrpc_conn_is_service(conn) &&
+- (chan->last_type == RXRPC_PACKET_TYPE_ACK ||
+- sp->hdr.type == RXRPC_PACKET_TYPE_ABORT))
++ chan->last_type == RXRPC_PACKET_TYPE_ACK)
+ goto discard_unlock;
+
+- /* But otherwise we need to retransmit the final packet from
+- * data cached in the connection record.
++ /* But otherwise we need to retransmit the final packet
++ * from data cached in the connection record.
+ */
+ rxrpc_post_packet_to_conn(conn, skb);
+ goto out_unlock;
+--
+2.12.3
+
diff --git a/patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch b/patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch
new file mode 100644
index 0000000000..8e040f33f1
--- /dev/null
+++ b/patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch
@@ -0,0 +1,51 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: tcp: fix TCP_REPAIR_QUEUE bound checking
+Patch-mainline: v4.17-rc4
+Git-commit: bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9
+References: git-fixes
+
+syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out()
+with following C-repro :
+
+socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
+setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
+setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
+bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
+sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
+ 1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242
+setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0
+writev(3, [{"\270", 1}], 1) = 1
+setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0
+writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144
+
+The 3rd system call looks odd :
+setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
+
+This patch makes sure bound checking is using an unsigned compare.
+
+Fixes: ee9952831cfd ("tcp: Initial repair mode")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index f348ad7e1a1b..e8408fdd2a01 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2444,7 +2444,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
+ case TCP_REPAIR_QUEUE:
+ if (!tp->repair)
+ err = -EPERM;
+- else if (val < TCP_QUEUES_NR)
++ else if ((unsigned int)val < TCP_QUEUES_NR)
+ tp->repair_queue = val;
+ else
+ err = -EINVAL;
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index c0cc07ac94..d8b41587b9 100644
--- a/series.conf
+++ b/series.conf
@@ -12271,6 +12271,7 @@
patches.drivers/vmxnet3-increase-default-rx-ring-sizes.patch
patches.fixes/rds-tcp-remove-redundant-function-rds_tcp_conn_paths.patch
patches.fixes/rds-tcp-correctly-sequence-cleanup-on-netns-deletion.patch
+ patches.fixes/0001-rds-tcp-atomically-purge-entries-from-rds_tcp_conn_l.patch
patches.drivers/net-ethtool-add-support-for-reset-of-AP-inside-NIC-i.patch
patches.drivers/bnxt_en-Add-ETH_RESET_AP-support.patch
patches.suse/msft-hv-1555-hv_netvsc-drop-unused-macros.patch
@@ -12408,6 +12409,7 @@
patches.drivers/net-hns3-fix-for-not-setting-pause-parameters.patch
patches.drivers/net-hns3-remove-redundant-semicolon.patch
patches.drivers/net-hns3-Add-more-packet-size-statisctics.patch
+ patches.fixes/0002-netfilter-ipset-Missing-nfnl_lock-nfnl_unlock-is-add.patch
patches.drivers/ixgbe-enable-multicast-on-shutdown-for-WOL.patch
patches.drivers/ixgbe-remove-unused-enum-latency_range.patch
patches.drivers/ixgbe-advertise-highest-capable-link-speed.patch
@@ -13193,6 +13195,8 @@
patches.fixes/tcp_bbr-fix-pacing_gain-to-always-be-unity-when-usin.patch
patches.fixes/openvswitch-Remove-padding-from-packet-before-L3-con.patch
patches.suse/rocker-fix-possible-null-pointer-dereference-in-rock.patch
+ patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch
+ patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch
patches.fixes/netfilter-x_tables-fix-pointer-leaks-to-userspace.patch
patches.fixes/netfilter-ipt_CLUSTERIP-fix-out-of-bounds-accesses-i.patch
patches.fixes/netfilter-on-sockopt-acquire-sock-lock-only-in-the-r.patch
@@ -14018,9 +14022,11 @@
patches.fixes/bpf-ppc64-fix-out-of-bounds-access-in-tail-call.patch
patches.fixes/rds-Incorrect-reference-counting-in-TCP-socket-creat.patch
patches.drivers/mac80211-drop-frames-with-unexpected-DS-bits-from-fa
+ patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch
patches.fixes/netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
patches.suse/netfilter-don-t-set-F_IFACE-on-ipv6-fib-lookups.patch
patches.fixes/netfilter-use-skb_to_full_sk-in-ip6_route_me_harder.patch
+ patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch
patches.fixes/batman-adv-fix-packet-checksum-in-receive-path.patch
patches.fixes/batman-adv-invalidate-checksum-on-fragment-reassembl.patch
patches.fixes/batman-adv-Ignore-invalid-batadv_iv_gw-during-netlin.patch
@@ -14293,6 +14299,9 @@
patches.suse/net-ipv6-keep-sk-status-consistent-after-datagram-co.patch
patches.drivers/Revert-e1000e-Separate-signaling-for-link-check-link.patch
patches.drivers/e1000e-Fix-link-check-race-condition.patch
+ patches.fixes/0008-xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-NULL.patch
+ patches.fixes/0007-xfrm-Fix-ESN-sequence-number-handling-for-IPsec-GSO-.patch
+ patches.fixes/0009-net-xfrm-use-preempt-safe-this_cpu_read-in-ipcomp_al.patch
patches.drivers/qed-Use-after-free-in-qed_rdma_free.patch
patches.suse/net-use-skb_to_full_sk-in-skb_update_prio.patch
patches.suse/soc-fsl-qbman-fix-issue-in-qman_delete_cgr_safe.patch
@@ -14304,6 +14313,7 @@
patches.drivers/can-cc770-Fix-stalls-on-rt-linux-remove-redundant-IR
patches.drivers/can-cc770-Fix-queue-stall-dropped-RTR-reply
patches.drivers/net-sched-actions-return-explicit-error-when-tunnel_.patch
+ patches.fixes/0010-net-Fix-vlan-untag-for-bridge-and-vlan_dev-with-reor.patch
patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch
patches.suse/net-systemport-Rewrite-__bcm_sysport_tx_reclaim.patch
patches.suse/net-iucv-Free-memory-obtained-by-kzalloc.patch
@@ -14463,6 +14473,7 @@
patches.drivers/net-mlx4_core-Fix-memory-leak-while-delete-slave-s-r.patch
patches.suse/vhost-correctly-remove-wait-queue-during-poll-failur.patch
patches.drivers/qede-Fix-barrier-usage-after-tx-doorbell-write.patch
+ patches.fixes/0011-xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch
patches.fixes/vti4-Don-t-count-header-length-twice-on-tunnel-setup.patch
patches.fixes/vti6-Properly-adjust-vti6-MTU-from-MTU-of-lower-devi.patch
patches.fixes/vti6-Keep-set-MTU-on-link-creation-or-change-validat.patch
@@ -14471,6 +14482,7 @@
patches.suse/msft-hv-1654-hv_netvsc-enable-multicast-if-necessary.patch
patches.drivers/qede-Do-not-drop-rx-checksum-invalidated-packets.patch
patches.suse/vhost-validate-log-when-IOTLB-is-enabled.patch
+ patches.fixes/0001-net-Fix-untag-for-vlan-packets-without-ethernet-head.patch
patches.suse/ipv6-sr-fix-seg6-encap-performances-with-TSO-enabled.patch
patches.suse/vrf-Fix-use-after-free-and-double-free-in-vrf_finish.patch
patches.suse/net-ipv6-Fix-route-leaking-between-VRFs.patch
@@ -14810,6 +14822,8 @@
patches.drivers/net-thunderx-add-workqueue-control-structures-for-ha.patch
patches.drivers/net-thunderx-add-ndo_set_rx_mode-callback-implementa.patch
patches.drivers/net-hns3-remove-unnecessary-pci_set_drvdata-and-devm.patch
+ patches.fixes/0012-rxrpc-Fix-Tx-ring-annotation-after-initial-Tx-failur.patch
+ patches.fixes/0013-rxrpc-Don-t-treat-call-aborts-as-conn-aborts.patch
patches.drivers/net-mlx5-Eliminate-query-xsrq-dead-code.patch
patches.drivers/bnxt_en-Update-firmware-interface-to-1.9.1.15.patch
patches.drivers/bnxt_en-Adjust-default-rings-for-multi-port-NICs.patch
@@ -15859,6 +15873,7 @@
patches.suse/net-support-compat-64-bit-time-in-s-g-etsockopt.patch
patches.suse/bridge-check-iface-upper-dev-when-setting-master-via.patch
patches.drivers/qed-fix-spelling-mistake-checksumed-checksummed.patch
+ patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch
patches.suse/net-ethernet-ti-cpsw-fix-packet-leaking-in-dual_mac-.patch
patches.suse/tcp_bbr-fix-to-zero-idle_restart-only-upon-S-ACKed-d.patch
patches.suse/sctp-use-the-old-asoc-when-making-the-cookie-ack-chu.patch