--- /dev/null
+From 26528be6720bb40bc8844e97ee73a37e530e9c5e Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Thu, 14 Feb 2019 15:22:57 -0800
+Subject: binder: fix handling of misaligned binder object
+
+From: Todd Kjos <tkjos@android.com>
+
+commit 26528be6720bb40bc8844e97ee73a37e530e9c5e upstream.
+
+Fixes crash found by syzbot:
+kernel BUG at drivers/android/binder_alloc.c:LINE! (2)
+
+Reported-and-tested-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Cc: stable <stable@vger.kernel.org> # 5.0, 4.19, 4.14
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder_alloc.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -945,14 +945,13 @@ enum lru_status binder_alloc_free_page(s
+
+ index = page - alloc->pages;
+ page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
++
++ mm = alloc->vma_vm_mm;
++ if (!mmget_not_zero(mm))
++ goto err_mmget;
++ if (!down_write_trylock(&mm->mmap_sem))
++ goto err_down_write_mmap_sem_failed;
+ vma = binder_alloc_get_vma(alloc);
+- if (vma) {
+- if (!mmget_not_zero(alloc->vma_vm_mm))
+- goto err_mmget;
+- mm = alloc->vma_vm_mm;
+- if (!down_write_trylock(&mm->mmap_sem))
+- goto err_down_write_mmap_sem_failed;
+- }
+
+ list_lru_isolate(lru, item);
+ spin_unlock(lock);
+@@ -965,10 +964,9 @@ enum lru_status binder_alloc_free_page(s
+ PAGE_SIZE);
+
+ trace_binder_unmap_user_end(alloc, index);
+-
+- up_write(&mm->mmap_sem);
+- mmput(mm);
+ }
++ up_write(&mm->mmap_sem);
++ mmput(mm);
+
+ trace_binder_unmap_kernel_start(alloc, index);
+
--- /dev/null
+From 01ca667133d019edc9f0a1f70a272447c84ec41f Mon Sep 17 00:00:00 2001
+From: Yue Haibing <yuehaibing@huawei.com>
+Date: Thu, 21 Mar 2019 22:42:23 +0800
+Subject: fm10k: Fix a potential NULL pointer dereference
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+commit 01ca667133d019edc9f0a1f70a272447c84ec41f upstream.
+
+Syzkaller report this:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN PTI
+CPU: 0 PID: 4378 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+RIP: 0010:__lock_acquire+0x95b/0x3200 kernel/locking/lockdep.c:3573
+Code: 00 0f 85 28 1e 00 00 48 81 c4 08 01 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 24 00 00 49 81 7d 00 e0 de 03 a6 41 bc 00 00
+RSP: 0018:ffff8881e3c07a40 EFLAGS: 00010002
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000080
+RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+R10: ffff8881e3c07d98 R11: ffff8881c7f21f80 R12: 0000000000000001
+R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000001
+FS: 00007fce2252e700(0000) GS:ffff8881f2400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fffc7eb0228 CR3: 00000001e5bea002 CR4: 00000000007606f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ lock_acquire+0xff/0x2c0 kernel/locking/lockdep.c:4211
+ __mutex_lock_common kernel/locking/mutex.c:925 [inline]
+ __mutex_lock+0xdf/0x1050 kernel/locking/mutex.c:1072
+ drain_workqueue+0x24/0x3f0 kernel/workqueue.c:2934
+ destroy_workqueue+0x23/0x630 kernel/workqueue.c:4319
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x30c/0x480 kernel/module.c:961
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fce2252dc58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
+RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce2252e6bc
+R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
+
+If alloc_workqueue fails, it should return -ENOMEM, otherwise may
+trigger this NULL pointer dereference while unloading drivers.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 0a38c17a21a0 ("fm10k: Remove create_workqueue")
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+@@ -58,6 +58,8 @@ static int __init fm10k_init_module(void
+ /* create driver workqueue */
+ fm10k_workqueue = alloc_workqueue("%s", WQ_MEM_RECLAIM, 0,
+ fm10k_driver_name);
++ if (!fm10k_workqueue)
++ return -ENOMEM;
+
+ fm10k_dbg_init();
+
--- /dev/null
+From 89189557b47b35683a27c80ee78aef18248eefb4 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 25 Apr 2019 22:24:05 -0700
+Subject: fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 89189557b47b35683a27c80ee78aef18248eefb4 upstream.
+
+Syzkaller report this:
+
+ sysctl could not get directory: /net//bridge -12
+ kasan: CONFIG_KASAN_INLINE enabled
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] SMP KASAN PTI
+ CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline]
+ RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline]
+ RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline]
+ RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459
+ Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48
+ RSP: 0018:ffff8881bb507778 EFLAGS: 00010206
+ RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a
+ RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568
+ RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4
+ R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ erase_entry fs/proc/proc_sysctl.c:178 [inline]
+ erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207
+ start_unregistering fs/proc/proc_sysctl.c:331 [inline]
+ drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631
+ get_subdir fs/proc/proc_sysctl.c:1022 [inline]
+ __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
+ br_netfilter_init+0x68/0x1000 [br_netfilter]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle
+ iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter]
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ ---[ end trace 68741688d5fbfe85 ]---
+
+commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer
+dereference in put_links") forgot to handle start_unregistering() case,
+while header->parent is NULL, it calls erase_header() and as seen in the
+above syzkaller call trace, accessing &header->parent->root will trigger
+a NULL pointer dereference.
+
+As that commit explained, there is also no need to call
+start_unregistering() if header->parent is NULL.
+
+Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com
+Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links")
+Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/proc_sysctl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -1620,9 +1620,11 @@ static void drop_sysctl_table(struct ctl
+ if (--header->nreg)
+ return;
+
+- if (parent)
++ if (parent) {
+ put_links(header);
+- start_unregistering(header);
++ start_unregistering(header);
++ }
++
+ if (!--header->count)
+ kfree_rcu(header, rcu);
+
--- /dev/null
+From 91d3f8a629849968dc91d6ce54f2d46abf4feb7f Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 1 Mar 2019 10:09:55 +0200
+Subject: intel_th: gth: Fix an off-by-one in output unassigning
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 91d3f8a629849968dc91d6ce54f2d46abf4feb7f upstream.
+
+Commit 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs")
+fixes a NULL dereference for all masters except the last one ("256+"),
+which keeps the stale pointer after the output driver had been unassigned.
+
+Fix the off-by-one.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/gth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/intel_th/gth.c
++++ b/drivers/hwtracing/intel_th/gth.c
+@@ -624,7 +624,7 @@ static void intel_th_gth_unassign(struct
+ othdev->output.port = -1;
+ othdev->output.active = false;
+ gth->output[port].output = NULL;
+- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++)
++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++)
+ if (gth->master[master] == port)
+ gth->master[master] = -1;
+ spin_unlock(>h->gth_lock);
--- /dev/null
+From c93a49b9769e435990c82297aa0baa31e1538790 Mon Sep 17 00:00:00 2001
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Fri, 15 Feb 2019 17:51:48 +0100
+Subject: ipvs: fix warning on unused variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrea Claudi <aclaudi@redhat.com>
+
+commit c93a49b9769e435990c82297aa0baa31e1538790 upstream.
+
+When CONFIG_IP_VS_IPV6 is not defined, build produced this warning:
+
+net/netfilter/ipvs/ip_vs_ctl.c:899:6: warning: unused variable ‘ret’ [-Wunused-variable]
+ int ret = 0;
+ ^~~
+
+Fix this by moving the declaration of 'ret' in the CONFIG_IP_VS_IPV6
+section in the same function.
+
+While at it, drop its unneeded initialisation.
+
+Fixes: 098e13f5b21d ("ipvs: fix dependency on nf_defrag_ipv6")
+Reported-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -889,12 +889,13 @@ ip_vs_new_dest(struct ip_vs_service *svc
+ {
+ struct ip_vs_dest *dest;
+ unsigned int atype, i;
+- int ret = 0;
+
+ EnterFunction(2);
+
+ #ifdef CONFIG_IP_VS_IPV6
+ if (udest->af == AF_INET6) {
++ int ret;
++
+ atype = ipv6_addr_type(&udest->addr.in6);
+ if ((!(atype & IPV6_ADDR_UNICAST) ||
+ atype & IPV6_ADDR_LINKLOCAL) &&
--- /dev/null
+From 7caa56f006e9d712b44f27b32520c66420d5cbc6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 15 Apr 2019 00:43:00 +0200
+Subject: netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7caa56f006e9d712b44f27b32520c66420d5cbc6 upstream.
+
+It means userspace gave us a ruleset where there is some other
+data after the ebtables target but before the beginning of the next rule.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-by: syzbot+659574e7bcc7f7eb4df7@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2030,7 +2030,8 @@ static int ebt_size_mwt(struct compat_eb
+ if (match_kern)
+ match_kern->match_size = ret;
+
+- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
++ /* rule should have no remaining data after target */
++ if (type == EBT_COMPAT_TARGET && size_left)
+ return -EINVAL;
+
+ match32 = (struct compat_ebt_entry_mwt *) buf;
--- /dev/null
+From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 30 Mar 2019 10:21:07 +0900
+Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream.
+
+syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This
+is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family
+(which is embedded into user-visible "struct nfs_mount_data" structure)
+despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6)
+bytes of AF_INET6 address to rpc_sockaddr2uaddr().
+
+Since "struct nfs_mount_data" structure is user-visible, we can't change
+"struct nfs_mount_data" to use "struct sockaddr_storage". Therefore,
+assuming that everybody is using AF_INET family when passing address via
+"struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET.
+
+[1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c
+
+Reported-by: syzbot <syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2044,7 +2044,8 @@ static int nfs23_validate_mount_data(voi
+ memcpy(sap, &data->addr, sizeof(data->addr));
+ args->nfs_server.addrlen = sizeof(data->addr);
+ args->nfs_server.port = ntohs(data->addr.sin_port);
+- if (!nfs_verify_server_address(sap))
++ if (sap->sa_family != AF_INET ||
++ !nfs_verify_server_address(sap))
+ goto out_no_address;
+
+ if (!(data->flags & NFS_MOUNT_TCP))
--- /dev/null
+From 1b02cd6a2d7f3e2a6a5262887d2cb2912083e42f Mon Sep 17 00:00:00 2001
+From: luca abeni <luca.abeni@santannapisa.it>
+Date: Mon, 25 Mar 2019 14:15:30 +0100
+Subject: sched/deadline: Correctly handle active 0-lag timers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: luca abeni <luca.abeni@santannapisa.it>
+
+commit 1b02cd6a2d7f3e2a6a5262887d2cb2912083e42f upstream.
+
+syzbot reported the following warning:
+
+ [ ] WARNING: CPU: 4 PID: 17089 at kernel/sched/deadline.c:255 task_non_contending+0xae0/0x1950
+
+line 255 of deadline.c is:
+
+ WARN_ON(hrtimer_active(&dl_se->inactive_timer));
+
+in task_non_contending().
+
+Unfortunately, in some cases (for example, a deadline task
+continuosly blocking and waking immediately) it can happen that
+a task blocks (and task_non_contending() is called) while the
+0-lag timer is still active.
+
+In this case, the safest thing to do is to immediately decrease
+the running bandwidth of the task, without trying to re-arm the 0-lag timer.
+
+Signed-off-by: luca abeni <luca.abeni@santannapisa.it>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: chengjian (D) <cj.chengjian@huawei.com>
+Link: https://lkml.kernel.org/r/20190325131530.34706-1-luca.abeni@santannapisa.it
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/deadline.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -217,7 +217,6 @@ static void task_non_contending(struct t
+ if (dl_se->dl_runtime == 0)
+ return;
+
+- WARN_ON(hrtimer_active(&dl_se->inactive_timer));
+ WARN_ON(dl_se->dl_non_contending);
+
+ zerolag_time = dl_se->deadline -
+@@ -234,7 +233,7 @@ static void task_non_contending(struct t
+ * If the "0-lag time" already passed, decrease the active
+ * utilization now, instead of starting a timer
+ */
+- if (zerolag_time < 0) {
++ if ((zerolag_time < 0) || hrtimer_active(&dl_se->inactive_timer)) {
+ if (dl_task(p))
+ sub_running_bw(dl_se->dl_bw, dl_rq);
+ if (!dl_task(p) || p->state == TASK_DEAD) {
usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch
ext4-fix-some-error-pointer-dereferences.patch
vsock-virtio-fix-kernel-panic-from-virtio_transport_reset_no_sock.patch
+tipc-handle-the-err-returned-from-cmd-header-function.patch
+slip-make-slhc_free-silently-accept-an-error-pointer.patch
+intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch
+fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch
+ipvs-fix-warning-on-unused-variable.patch
+binder-fix-handling-of-misaligned-binder-object.patch
+sched-deadline-correctly-handle-active-0-lag-timers.patch
+nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch
+netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch
+fm10k-fix-a-potential-null-pointer-dereference.patch
+tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch
+tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch
--- /dev/null
+From baf76f0c58aec435a3a864075b8f6d8ee5d1f17e Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 25 Apr 2019 16:13:58 -0700
+Subject: slip: make slhc_free() silently accept an error pointer
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e upstream.
+
+This way, slhc_free() accepts what slhc_init() returns, whether that is
+an error or not.
+
+In particular, the pattern in sl_alloc_bufs() is
+
+ slcomp = slhc_init(16, 16);
+ ...
+ slhc_free(slcomp);
+
+for the error handling path, and rather than complicate that code, just
+make it ok to always free what was returned by the init function.
+
+That's what the code used to do before commit 4ab42d78e37a ("ppp, slip:
+Validate VJ compression slot parameters completely") when slhc_init()
+just returned NULL for the error case, with no actual indication of the
+details of the error.
+
+Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com
+Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely")
+Acked-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/slip/slhc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/slip/slhc.c
++++ b/drivers/net/slip/slhc.c
+@@ -153,7 +153,7 @@ out_fail:
+ void
+ slhc_free(struct slcompress *comp)
+ {
+- if ( comp == NULLSLCOMPR )
++ if ( IS_ERR_OR_NULL(comp) )
+ return;
+
+ if ( comp->tstate != NULLSLSTATE )
--- /dev/null
+From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:08 +0800
+Subject: tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 6f07e5f06c8712acc423485f657799fc8e11e56c upstream.
+
+Syzbot reported the following crash:
+
+BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961
+ memchr+0xce/0x110 lib/string.c:961
+ string_is_valid net/tipc/netlink_compat.c:176 [inline]
+ tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401
+ __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline]
+ tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline]
+ tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265
+ genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
+ genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+Uninit was created at:
+ __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
+ alloc_skb include/linux/skbuff.h:1012 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME,
+it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which
+also includes priority and disc_domain length.
+
+This patch is to fix it by checking it with a right length:
+'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'.
+
+Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/netlink_compat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -394,7 +394,12 @@ static int tipc_nl_compat_bearer_enable(
+ if (!bearer)
+ return -EMSGSIZE;
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ len -= offsetof(struct tipc_bearer_config, name);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(b->name, len))
+ return -EINVAL;
+
--- /dev/null
+From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:09 +0800
+Subject: tipc: check link name with right length in tipc_nl_compat_link_set
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream.
+
+A similar issue as fixed by Patch "tipc: check bearer name with right
+length in tipc_nl_compat_bearer_enable" was also found by syzbot in
+tipc_nl_compat_link_set().
+
+The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
+offsetof(struct tipc_link_config, name)'.
+
+Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/netlink_compat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -768,7 +768,12 @@ static int tipc_nl_compat_link_set(struc
+
+ lc = (struct tipc_link_config *)TLV_DATA(msg->req);
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ len -= offsetof(struct tipc_link_config, name);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(lc->name, len))
+ return -EINVAL;
+
--- /dev/null
+From 2ac695d1d602ce00b12170242f58c3d3a8e36d04 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:10 +0800
+Subject: tipc: handle the err returned from cmd header function
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 2ac695d1d602ce00b12170242f58c3d3a8e36d04 upstream.
+
+Syzbot found a crash:
+
+ BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
+ Call Trace:
+ tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
+ __tipc_nl_compat_dumpit+0x59e/0xda0 net/tipc/netlink_compat.c:215
+ tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:280
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1226 [inline]
+ tipc_nl_compat_recv+0x1b5f/0x2750 net/tipc/netlink_compat.c:1265
+ genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
+ genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+ Uninit was created at:
+ __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
+ alloc_skb include/linux/skbuff.h:1012 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+It was supposed to be fixed on commit 974cb0e3e7c9 ("tipc: fix uninit-value
+in tipc_nl_compat_name_table_dump") by checking TLV_GET_DATA_LEN(msg->req)
+in cmd->header()/tipc_nl_compat_name_table_dump_header(), which is called
+ahead of tipc_nl_compat_name_table_dump().
+
+However, tipc_nl_compat_dumpit() doesn't handle the error returned from cmd
+header function. It means even when the check added in that fix fails, it
+won't stop calling tipc_nl_compat_name_table_dump(), and the issue will be
+triggered again.
+
+So this patch is to add the process for the err returned from cmd header
+function in tipc_nl_compat_dumpit().
+
+Reported-by: syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/netlink_compat.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -262,8 +262,14 @@ static int tipc_nl_compat_dumpit(struct
+ if (msg->rep_type)
+ tipc_tlv_init(msg->rep, msg->rep_type);
+
+- if (cmd->header)
+- (*cmd->header)(msg);
++ if (cmd->header) {
++ err = (*cmd->header)(msg);
++ if (err) {
++ kfree_skb(msg->rep);
++ msg->rep = NULL;
++ return err;
++ }
++ }
+
+ arg = nlmsg_new(0, GFP_KERNEL);
+ if (!arg) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
