Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix list tests in netfilter ingress support, from Florian Westphal.

 2) Fix reversal of input and output interfaces in ingress hook
    invocation, from Pablo Neira Ayuso.

 3) We have a use after free in r8169, caught by Dave Jones, fixed by
    Francois Romieu.

 4) Splice use-after-free fix in AF_UNIX frmo Hannes Frederic Sowa.

 5) Three ipv6 route handling bug fixes from Martin KaFai Lau:
    a) Don't create clone routes not managed by the fib6 tree
    b) Don't forget to check expiration of DST_NOCACHE routes.
    c) Handle rt->dst.from == NULL properly.

 6) Several AF_PACKET fixes wrt transport header setting and SKB
    protocol setting, from Daniel Borkmann.

 7) Fix thunder driver crash on shutdown, from Pavel Fedin.

 8) Several Mellanox driver fixes (max MTU calculations, use of correct
    DMA unmap in TX path, etc.) from Saeed Mahameed, Tariq Toukan, Doron
    Tsur, Achiad Shochat, Eran Ben Elisha, and Noa Osherovich.

 9) Several mv88e6060 DSA driver fixes (wrong bit definitions for
    certain registers, etc.) from Neil Armstrong.

10) Make sure to disable preemption while updating per-cpu stats of ip
    tunnels, from Jason A.  Donenfeld.

11) Various ARM64 bpf JIT fixes, from Yang Shi.

12) Flush icache properly in ARM JITs, from Daniel Borkmann.

13) Fix masking of RX and TX interrupts in ravb driver, from Masaru
    Nagai.

14) Fix netdev feature propagation for devices not implementing
    ->ndo_set_features().  From Nikolay Aleksandrov.

15) Big endian fix in vmxnet3 driver, from Shrikrishna Khare.

16) RAW socket code increments incorrect SNMP counters, fix from Ben
    Cartwright-Cox.

17) IPv6 multicast SNMP counters are bumped twice, fix from Neil Horman.

18) Fix handling of VLAN headers on stacked devices when REORDER is
    disabled.  From Vlad Yasevich.

19) Fix SKB leaks and use-after-free in ipvlan and macvlan drivers, from
    Sabrina Dubroca.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (83 commits)
  MAINTAINERS: Update Mellanox's Eth NIC driver entries
  net/core: revert "net: fix __netdev_update_features return.." and add comment
  af_unix: take receive queue lock while appending new skb
  rtnetlink: fix frame size warning in rtnl_fill_ifinfo
  net: use skb_clone to avoid alloc_pages failure.
  packet: Use PAGE_ALIGNED macro
  packet: Don't check frames_per_block against negative values
  net: phy: Use interrupts when available in NOLINK state
  phy: marvell: Add support for 88E1540 PHY
  arm64: bpf: make BPF prologue and epilogue align with ARM64 AAPCS
  macvlan: fix leak in macvlan_handle_frame
  ipvlan: fix use after free of skb
  ipvlan: fix leak in ipvlan_rcv_frame
  vlan: Do not put vlan headers back on bridge and macvlan ports
  vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
  via-velocity: unconditionally drop frames with bad l2 length
  ipg: Remove ipg driver
  dl2k: Add support for IP1000A-based cards
  snmp: Remove duplicate OUTMCAST stat increment
  net: thunder: Check for driver data in nicvf_remove()
  ...

1 files changed, 23 insertions, 1 deletions

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index aaa0b58d6aba..955ec152cb71 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -441,6 +441,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
                 if (state == TCP_LISTEN)
                         unix_release_sock(skb->sk, 1);
                 /* passed fds are erased in the kfree_skb hook        */
+                UNIXCB(skb).consumed = skb->len;
                 kfree_skb(skb);
         }
 
@@ -1799,6 +1800,7 @@ alloc_skb:
                  * this - does no harm
                  */
                 consume_skb(newskb);
+                newskb = NULL;
         }
 
         if (skb_append_pagefrags(skb, page, offset, size)) {
@@ -1811,8 +1813,11 @@ alloc_skb:
         skb->truesize += size;
         atomic_add(size, &sk->sk_wmem_alloc);
 
-        if (newskb)
+        if (newskb) {
+                spin_lock(&other->sk_receive_queue.lock);
                 __skb_queue_tail(&other->sk_receive_queue, newskb);
+                spin_unlock(&other->sk_receive_queue.lock);
+        }
 
         unix_state_unlock(other);
         mutex_unlock(&unix_sk(other)->readlock);
@@ -2072,6 +2077,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
 
         do {
                 int chunk;
+                bool drop_skb;
                 struct sk_buff *skb, *last;
 
                 unix_state_lock(sk);
@@ -2152,7 +2158,11 @@ unlock:
                 }
 
                 chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
+                skb_get(skb);
                 chunk = state->recv_actor(skb, skip, chunk, state);
+                drop_skb = !unix_skb_len(skb);
+                /* skb is only safe to use if !drop_skb */
+                consume_skb(skb);
                 if (chunk < 0) {
                         if (copied == 0)
                                 copied = -EFAULT;
@@ -2161,6 +2171,18 @@ unlock:
                 copied += chunk;
                 size -= chunk;
 
+                if (drop_skb) {
+                        /* the skb was touched by a concurrent reader;
+                         * we should not expect anything from this skb
+                         * anymore and assume it invalid - we can be
+                         * sure it was dropped from the socket queue
+                         *
+                         * let's report a short read
+                         */
+                        err = 0;
+                        break;
+                }
+
                 /* Mark read part of skb as used */
                 if (!(flags & MSG_PEEK)) {
                         UNIXCB(skb).consumed += chunk;