more 3.18 patches

13 files changed, 453 insertions, 0 deletions

diff --git a/appletalk-enforce-cap_net_raw-for-raw-sockets.patch b/appletalk-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 0000000..a7f2453
--- /dev/null
+++ b/appletalk-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,34 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:46 +0200
+Subject: appletalk: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac ]
+
+When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/appletalk/ddp.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1029,6 +1029,11 @@ static int atalk_create(struct net *net,
+ 	 */
+ 	if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
+ 		goto out;
++
++	rc = -EPERM;
++	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
++		goto out;
++
+ 	rc = -ENOMEM;
+ 	sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto);
+ 	if (!sk)
diff --git a/ax25-enforce-cap_net_raw-for-raw-sockets.patch b/ax25-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 0000000..a378292
--- /dev/null
+++ b/ax25-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,31 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:47 +0200
+Subject: ax25: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 0614e2b73768b502fc32a75349823356d98aae2c ]
+
+When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -860,6 +860,8 @@ static int ax25_create(struct net *net,
+ 		break;
+ 
+ 	case SOCK_RAW:
++		if (!capable(CAP_NET_RAW))
++			return -EPERM;
+ 		break;
+ 	default:
+ 		return -ESOCKTNOSUPPORT;
diff --git a/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch b/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch
new file mode 100644
index 0000000..d5a0e71
--- /dev/null
+++ b/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch
@@ -0,0 +1,41 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Wed, 18 Sep 2019 14:01:46 +0200
+Subject: cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ]
+
+Endpoints with zero wMaxPacketSize are not usable for transferring
+data. Ignore such endpoints when looking for valid in, out and
+status pipes, to make the driver more robust against invalid and
+meaningless descriptors.
+
+The wMaxPacketSize of the out pipe is used as divisor. So this change
+fixes a divide-by-zero bug.
+
+Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -635,8 +635,12 @@ cdc_ncm_find_endpoints(struct usbnet *de
+ 	u8 ep;
+ 
+ 	for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) {
+-
+ 		e = intf->cur_altsetting->endpoint + ep;
++
++		/* ignore endpoints which cannot transfer data */
++		if (!usb_endpoint_maxp(&e->desc))
++			continue;
++
+ 		switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) {
+ 		case USB_ENDPOINT_XFER_INT:
+ 			if (usb_endpoint_dir_in(&e->desc)) {
diff --git a/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch b/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 0000000..ad01297
--- /dev/null
+++ b/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,33 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:48 +0200
+Subject: ieee802154: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit e69dbd4619e7674c1679cba49afd9dd9ac347eef ]
+
+When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be
+checked first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/af_ieee802154.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/af_ieee802154.c
++++ b/net/ieee802154/af_ieee802154.c
+@@ -252,6 +252,9 @@ static int ieee802154_create(struct net
+ 
+ 	switch (sock->type) {
+ 	case SOCK_RAW:
++		rc = -EPERM;
++		if (!capable(CAP_NET_RAW))
++			goto out;
+ 		proto = &ieee802154_raw_prot;
+ 		ops = &ieee802154_raw_ops;
+ 		break;
diff --git a/misdn-enforce-cap_net_raw-for-raw-sockets.patch b/misdn-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 0000000..12fa857
--- /dev/null
+++ b/misdn-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,31 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:45 +0200
+Subject: mISDN: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit b91ee4aa2a2199ba4d4650706c272985a5a32d80 ]
+
+When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/mISDN/socket.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -763,6 +763,8 @@ base_sock_create(struct net *net, struct
+ 
+ 	if (sock->type != SOCK_RAW)
+ 		return -ESOCKTNOSUPPORT;
++	if (!capable(CAP_NET_RAW))
++		return -EPERM;
+ 
+ 	sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto);
+ 	if (!sk)
diff --git a/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch b/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch
new file mode 100644
index 0000000..07991de
--- /dev/null
+++ b/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch
@@ -0,0 +1,45 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Peter Mamonov <pmamonov@gmail.com>
+Date: Wed, 18 Sep 2019 19:27:55 +0300
+Subject: net/phy: fix DP83865 10 Mbps HDX loopback disable function
+
+From: Peter Mamonov <pmamonov@gmail.com>
+
+[ Upstream commit e47488b2df7f9cb405789c7f5d4c27909fc597ae ]
+
+According to the DP83865 datasheet "the 10 Mbps HDX loopback can be
+disabled in the expanded memory register 0x1C0.1". The driver erroneously
+used bit 0 instead of bit 1.
+
+Fixes: 4621bf129856 ("phy: Add file missed in previous commit.")
+Signed-off-by: Peter Mamonov <pmamonov@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/national.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/phy/national.c
++++ b/drivers/net/phy/national.c
+@@ -110,14 +110,17 @@ static void ns_giga_speed_fallback(struc
+ 
+ static void ns_10_base_t_hdx_loopack(struct phy_device *phydev, int disable)
+ {
++	u16 lb_dis = BIT(1);
++
+ 	if (disable)
+-		ns_exp_write(phydev, 0x1c0, ns_exp_read(phydev, 0x1c0) | 1);
++		ns_exp_write(phydev, 0x1c0,
++			     ns_exp_read(phydev, 0x1c0) | lb_dis);
+ 	else
+ 		ns_exp_write(phydev, 0x1c0,
+-			     ns_exp_read(phydev, 0x1c0) & 0xfffe);
++			     ns_exp_read(phydev, 0x1c0) & ~lb_dis);
+ 
+ 	pr_debug("10BASE-T HDX loopback %s\n",
+-		 (ns_exp_read(phydev, 0x1c0) & 0x0001) ? "off" : "on");
++		 (ns_exp_read(phydev, 0x1c0) & lb_dis) ? "off" : "on");
+ }
+ 
+ static int ns_config_init(struct phy_device *phydev)
diff --git a/nfc-enforce-cap_net_raw-for-raw-sockets.patch b/nfc-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 0000000..589f5db
--- /dev/null
+++ b/nfc-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,38 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:49 +0200
+Subject: nfc: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 3a359798b176183ef09efb7a3dc59abad1cc7104 ]
+
+When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -1005,10 +1005,13 @@ static int llcp_sock_create(struct net *
+ 	    sock->type != SOCK_RAW)
+ 		return -ESOCKTNOSUPPORT;
+ 
+-	if (sock->type == SOCK_RAW)
++	if (sock->type == SOCK_RAW) {
++		if (!capable(CAP_NET_RAW))
++			return -EPERM;
+ 		sock->ops = &llcp_rawsock_ops;
+-	else
++	} else {
+ 		sock->ops = &llcp_sock_ops;
++	}
+ 
+ 	sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC);
+ 	if (sk == NULL)
diff --git a/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch b/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch
new file mode 100644
index 0000000..6cb7bd2
--- /dev/null
+++ b/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch
@@ -0,0 +1,40 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Li RongQing <lirongqing@baidu.com>
+Date: Tue, 24 Sep 2019 19:11:52 +0800
+Subject: openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit ea8564c865299815095bebeb4b25bef474218e4c ]
+
+userspace openvswitch patch "(dpif-linux: Implement the API
+functions to allow multiple handler threads read upcall)"
+changes its type from U32 to UNSPEC, but leave the kernel
+unchanged
+
+and after kernel 6e237d099fac "(netlink: Relax attr validation
+for fixed length types)", this bug is exposed by the below
+warning
+
+	[   57.215841] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length.
+
+Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -1974,7 +1974,7 @@ static const struct nla_policy vport_pol
+ 	[OVS_VPORT_ATTR_STATS] = { .len = sizeof(struct ovs_vport_stats) },
+ 	[OVS_VPORT_ATTR_PORT_NO] = { .type = NLA_U32 },
+ 	[OVS_VPORT_ATTR_TYPE] = { .type = NLA_U32 },
+-	[OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_U32 },
++	[OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_UNSPEC },
+ 	[OVS_VPORT_ATTR_OPTIONS] = { .type = NLA_NESTED },
+ };
+ 
diff --git a/sch_netem-fix-a-divide-by-zero-in-tabledist.patch b/sch_netem-fix-a-divide-by-zero-in-tabledist.patch
new file mode 100644
index 0000000..518077f
--- /dev/null
+++ b/sch_netem-fix-a-divide-by-zero-in-tabledist.patch
@@ -0,0 +1,36 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 18 Sep 2019 08:05:39 -0700
+Subject: sch_netem: fix a divide by zero in tabledist()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ]
+
+syzbot managed to crash the kernel in tabledist() loading
+an empty distribution table.
+
+	t = dist->table[rnd % dist->size];
+
+Simply return an error when such load is attempted.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_netem.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -725,7 +725,7 @@ static int get_dist_table(struct Qdisc *
+ 	int i;
+ 	size_t s;
+ 
+-	if (n > NETEM_DIST_MAX)
++	if (!n || n > NETEM_DIST_MAX)
+ 		return -EINVAL;
+ 
+ 	s = sizeof(struct disttable) + n * sizeof(s16);
diff --git a/series b/series
index 7b0d1ff..64d886a 100644
--- a/series
+++ b/series
@@ -3,3 +3,15 @@ hid-lg-make-transfer-buffers-dma-capable.patch
 hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch
 mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch
 asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch
+cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch
+net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch
+openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch
+sch_netem-fix-a-divide-by-zero-in-tabledist.patch
+skge-fix-checksum-byte-order.patch
+usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch
+usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch
+misdn-enforce-cap_net_raw-for-raw-sockets.patch
+appletalk-enforce-cap_net_raw-for-raw-sockets.patch
+ax25-enforce-cap_net_raw-for-raw-sockets.patch
+nfc-enforce-cap_net_raw-for-raw-sockets.patch
+ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
diff --git a/skge-fix-checksum-byte-order.patch b/skge-fix-checksum-byte-order.patch
new file mode 100644
index 0000000..d8c2800
--- /dev/null
+++ b/skge-fix-checksum-byte-order.patch
@@ -0,0 +1,32 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 20 Sep 2019 18:18:26 +0200
+Subject: skge: fix checksum byte order
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 5aafeb74b5bb65b34cc87c7623f9fa163a34fa3b ]
+
+Running old skge driver on PowerPC causes checksum errors
+because hardware reported 1's complement checksum is in little-endian
+byte order.
+
+Reported-by: Benoit <benoit.sansoni@gmail.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/skge.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/skge.c
++++ b/drivers/net/ethernet/marvell/skge.c
+@@ -3114,7 +3114,7 @@ static struct sk_buff *skge_rx_get(struc
+ 	skb_put(skb, len);
+ 
+ 	if (dev->features & NETIF_F_RXCSUM) {
+-		skb->csum = csum;
++		skb->csum = le16_to_cpu(csum);
+ 		skb->ip_summed = CHECKSUM_COMPLETE;
+ 	}
+ 
diff --git a/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch b/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch
new file mode 100644
index 0000000..e979ac1
--- /dev/null
+++ b/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch
@@ -0,0 +1,39 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Wed, 18 Sep 2019 14:17:38 +0200
+Subject: usbnet: ignore endpoints with invalid wMaxPacketSize
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+[ Upstream commit 8d3d7c2029c1b360f1a6b0a2fca470b57eb575c0 ]
+
+Endpoints with zero wMaxPacketSize are not usable for transferring
+data. Ignore such endpoints when looking for valid in, out and
+status pipes, to make the drivers more robust against invalid and
+meaningless descriptors.
+
+The wMaxPacketSize of these endpoints are used for memory allocations
+and as divisors in many usbnet minidrivers. Avoiding zero is therefore
+critical.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -114,6 +114,11 @@ int usbnet_get_endpoints(struct usbnet *
+ 			int				intr = 0;
+ 
+ 			e = alt->endpoint + ep;
++
++			/* ignore endpoints which cannot transfer data */
++			if (!usb_endpoint_maxp(&e->desc))
++				continue;
++
+ 			switch (e->desc.bmAttributes) {
+ 			case USB_ENDPOINT_XFER_INT:
+ 				if (!usb_endpoint_dir_in(&e->desc))
diff --git a/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch b/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch
new file mode 100644
index 0000000..3a5a1ef
--- /dev/null
+++ b/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch
@@ -0,0 +1,41 @@
+From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 19 Sep 2019 10:23:08 +0200
+Subject: usbnet: sanity checking of packet sizes and device mtu
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ]
+
+After a reset packet sizes and device mtu can change and need
+to be reevaluated to calculate queue sizes.
+Malicious devices can set this to zero and we divide by it.
+Introduce sanity checking.
+
+Reported-and-tested-by:  syzbot+6102c120be558c885f04@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -352,6 +352,8 @@ void usbnet_update_max_qlen(struct usbne
+ {
+ 	enum usb_device_speed speed = dev->udev->speed;
+ 
++	if (!dev->rx_urb_size || !dev->hard_mtu)
++		goto insanity;
+ 	switch (speed) {
+ 	case USB_SPEED_HIGH:
+ 		dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size;
+@@ -367,6 +369,7 @@ void usbnet_update_max_qlen(struct usbne
+ 		dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu;
+ 		break;
+ 	default:
++insanity:
+ 		dev->rx_qlen = dev->tx_qlen = 4;
+ 	}
+ }