--- /dev/null
+From 01ca667133d019edc9f0a1f70a272447c84ec41f Mon Sep 17 00:00:00 2001
+From: Yue Haibing <yuehaibing@huawei.com>
+Date: Thu, 21 Mar 2019 22:42:23 +0800
+Subject: fm10k: Fix a potential NULL pointer dereference
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+commit 01ca667133d019edc9f0a1f70a272447c84ec41f upstream.
+
+Syzkaller report this:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN PTI
+CPU: 0 PID: 4378 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+RIP: 0010:__lock_acquire+0x95b/0x3200 kernel/locking/lockdep.c:3573
+Code: 00 0f 85 28 1e 00 00 48 81 c4 08 01 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 24 00 00 49 81 7d 00 e0 de 03 a6 41 bc 00 00
+RSP: 0018:ffff8881e3c07a40 EFLAGS: 00010002
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000080
+RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+R10: ffff8881e3c07d98 R11: ffff8881c7f21f80 R12: 0000000000000001
+R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000001
+FS: 00007fce2252e700(0000) GS:ffff8881f2400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fffc7eb0228 CR3: 00000001e5bea002 CR4: 00000000007606f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ lock_acquire+0xff/0x2c0 kernel/locking/lockdep.c:4211
+ __mutex_lock_common kernel/locking/mutex.c:925 [inline]
+ __mutex_lock+0xdf/0x1050 kernel/locking/mutex.c:1072
+ drain_workqueue+0x24/0x3f0 kernel/workqueue.c:2934
+ destroy_workqueue+0x23/0x630 kernel/workqueue.c:4319
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x30c/0x480 kernel/module.c:961
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fce2252dc58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
+RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce2252e6bc
+R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
+
+If alloc_workqueue fails, it should return -ENOMEM, otherwise may
+trigger this NULL pointer dereference while unloading drivers.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 0a38c17a21a0 ("fm10k: Remove create_workqueue")
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+@@ -41,6 +41,8 @@ static int __init fm10k_init_module(void
+ /* create driver workqueue */
+ fm10k_workqueue = alloc_workqueue("%s", WQ_MEM_RECLAIM, 0,
+ fm10k_driver_name);
++ if (!fm10k_workqueue)
++ return -ENOMEM;
+
+ fm10k_dbg_init();
+
--- /dev/null
+From 45fcef8b727b6f171bc5443e8153181a367d7a15 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 29 Mar 2019 08:56:22 +0100
+Subject: mac80211_hwsim: calculate if_combination.max_interfaces
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 45fcef8b727b6f171bc5443e8153181a367d7a15 upstream.
+
+If we just set this to 2048, and have multiple limits you
+can select from, the total number might run over and cause
+a warning in cfg80211. This doesn't make sense, so we just
+calculate the total max_interfaces now.
+
+Reported-by: syzbot+8f91bd563bbff230d0ee@syzkaller.appspotmail.com
+Fixes: 99e3a44bac37 ("mac80211_hwsim: allow setting iftype support")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2642,7 +2642,7 @@ static int mac80211_hwsim_new_radio(stru
+ enum nl80211_band band;
+ const struct ieee80211_ops *ops = &mac80211_hwsim_ops;
+ struct net *net;
+- int idx;
++ int idx, i;
+ int n_limits = 0;
+
+ if (WARN_ON(param->channels > 1 && !param->use_chanctx))
+@@ -2766,12 +2766,23 @@ static int mac80211_hwsim_new_radio(stru
+ goto failed_hw;
+ }
+
++ data->if_combination.max_interfaces = 0;
++ for (i = 0; i < n_limits; i++)
++ data->if_combination.max_interfaces +=
++ data->if_limits[i].max;
++
+ data->if_combination.n_limits = n_limits;
+- data->if_combination.max_interfaces = 2048;
+ data->if_combination.limits = data->if_limits;
+
+- hw->wiphy->iface_combinations = &data->if_combination;
+- hw->wiphy->n_iface_combinations = 1;
++ /*
++ * If we actually were asked to support combinations,
++ * advertise them - if there's only a single thing like
++ * only IBSS then don't advertise it as combinations.
++ */
++ if (data->if_combination.max_interfaces > 1) {
++ hw->wiphy->iface_combinations = &data->if_combination;
++ hw->wiphy->n_iface_combinations = 1;
++ }
+
+ if (param->ciphers) {
+ memcpy(data->ciphers, param->ciphers,
--- /dev/null
+From d3706566ae3d92677b932dd156157fd6c72534b1 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 9 Apr 2019 19:53:55 +0800
+Subject: net: netrom: Fix error cleanup path of nr_proto_init
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit d3706566ae3d92677b932dd156157fd6c72534b1 upstream.
+
+Syzkaller report this:
+
+BUG: unable to handle kernel paging request at fffffbfff830524b
+PGD 237fe8067 P4D 237fe8067 PUD 237e64067 PMD 1c9716067 PTE 0
+Oops: 0000 [#1] SMP KASAN PTI
+CPU: 1 PID: 4465 Comm: syz-executor.0 Not tainted 5.0.0+ #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+RIP: 0010:__list_add_valid+0x21/0xe0 lib/list_debug.c:23
+Code: 8b 0c 24 e9 17 fd ff ff 90 55 48 89 fd 48 8d 7a 08 53 48 89 d3 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 48 83 ec 08 <80> 3c 02 00 0f 85 8b 00 00 00 48 8b 53 08 48 39 f2 75 35 48 89 f2
+RSP: 0018:ffff8881ea2278d0 EFLAGS: 00010282
+RAX: dffffc0000000000 RBX: ffffffffc1829250 RCX: 1ffff1103d444ef4
+RDX: 1ffffffff830524b RSI: ffffffff85659300 RDI: ffffffffc1829258
+RBP: ffffffffc1879250 R08: fffffbfff0acb269 R09: fffffbfff0acb269
+R10: ffff8881ea2278f0 R11: fffffbfff0acb268 R12: ffffffffc1829250
+R13: dffffc0000000000 R14: 0000000000000008 R15: ffffffffc187c830
+FS: 00007fe0361df700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffffbfff830524b CR3: 00000001eb39a001 CR4: 00000000007606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ __list_add include/linux/list.h:60 [inline]
+ list_add include/linux/list.h:79 [inline]
+ proto_register+0x444/0x8f0 net/core/sock.c:3375
+ nr_proto_init+0x73/0x4b3 [netrom]
+ ? 0xffffffffc1628000
+ ? 0xffffffffc1628000
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe0361dec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
+RBP: 00007fe0361dec70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe0361df6bc
+R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+Modules linked in: netrom(+) ax25 fcrypt pcbc af_alg arizona_ldo1 v4l2_common videodev media v4l2_dv_timings hdlc ide_cd_mod snd_soc_sigmadsp_regmap snd_soc_sigmadsp intel_spi_platform intel_spi mtd spi_nor snd_usbmidi_lib usbcore lcd ti_ads7950 hi6421_regulator snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_hda_ext_core snd_hda_core snd_soc_rt5663 snd_soc_core snd_pcm_dmaengine snd_compress snd_soc_rl6231 mac80211 rtc_rc5t583 spi_slave_time leds_pwm hid_gt683r hid industrialio_triggered_buffer kfifo_buf industrialio ir_kbd_i2c rc_core led_class_flash dwc_xlgmac snd_ymfpci gameport snd_mpu401_uart snd_rawmidi snd_ac97_codec snd_pcm ac97_bus snd_opl3_lib snd_timer snd_seq_device snd_hwdep snd soundcore iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan
+ bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ide_pci_generic piix aesni_intel aes_x86_64 crypto_simd cryptd glue_helper ide_core psmouse input_leds i2c_piix4 serio_raw intel_agp intel_gtt ata_generic agpgart pata_acpi parport_pc rtc_cmos parport floppy sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: rxrpc]
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+CR2: fffffbfff830524b
+---[ end trace 039ab24b305c4b19 ]---
+
+If nr_proto_init failed, it may forget to call proto_unregister,
+tiggering this issue.This patch rearrange code of nr_proto_init
+to avoid such issues.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netrom.h | 2 -
+ net/netrom/af_netrom.c | 76 +++++++++++++++++++++++++++++------------
+ net/netrom/nr_loopback.c | 2 -
+ net/netrom/nr_route.c | 2 -
+ net/netrom/sysctl_net_netrom.c | 5 ++
+ 5 files changed, 61 insertions(+), 26 deletions(-)
+
+--- a/include/net/netrom.h
++++ b/include/net/netrom.h
+@@ -266,7 +266,7 @@ void nr_stop_idletimer(struct sock *);
+ int nr_t1timer_running(struct sock *);
+
+ /* sysctl_net_netrom.c */
+-void nr_register_sysctl(void);
++int nr_register_sysctl(void);
+ void nr_unregister_sysctl(void);
+
+ #endif
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1392,18 +1392,22 @@ static int __init nr_proto_init(void)
+ int i;
+ int rc = proto_register(&nr_proto, 0);
+
+- if (rc != 0)
+- goto out;
++ if (rc)
++ return rc;
+
+ if (nr_ndevs > 0x7fffffff/sizeof(struct net_device *)) {
+- printk(KERN_ERR "NET/ROM: nr_proto_init - nr_ndevs parameter to large\n");
+- return -1;
++ pr_err("NET/ROM: %s - nr_ndevs parameter too large\n",
++ __func__);
++ rc = -EINVAL;
++ goto unregister_proto;
+ }
+
+ dev_nr = kcalloc(nr_ndevs, sizeof(struct net_device *), GFP_KERNEL);
+- if (dev_nr == NULL) {
+- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device array\n");
+- return -1;
++ if (!dev_nr) {
++ pr_err("NET/ROM: %s - unable to allocate device array\n",
++ __func__);
++ rc = -ENOMEM;
++ goto unregister_proto;
+ }
+
+ for (i = 0; i < nr_ndevs; i++) {
+@@ -1413,13 +1417,13 @@ static int __init nr_proto_init(void)
+ sprintf(name, "nr%d", i);
+ dev = alloc_netdev(0, name, NET_NAME_UNKNOWN, nr_setup);
+ if (!dev) {
+- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device structure\n");
++ rc = -ENOMEM;
+ goto fail;
+ }
+
+ dev->base_addr = i;
+- if (register_netdev(dev)) {
+- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register network device\n");
++ rc = register_netdev(dev);
++ if (rc) {
+ free_netdev(dev);
+ goto fail;
+ }
+@@ -1427,36 +1431,64 @@ static int __init nr_proto_init(void)
+ dev_nr[i] = dev;
+ }
+
+- if (sock_register(&nr_family_ops)) {
+- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register socket family\n");
++ rc = sock_register(&nr_family_ops);
++ if (rc)
+ goto fail;
+- }
+
+- register_netdevice_notifier(&nr_dev_notifier);
++ rc = register_netdevice_notifier(&nr_dev_notifier);
++ if (rc)
++ goto out_sock;
+
+ ax25_register_pid(&nr_pid);
+ ax25_linkfail_register(&nr_linkfail_notifier);
+
+ #ifdef CONFIG_SYSCTL
+- nr_register_sysctl();
++ rc = nr_register_sysctl();
++ if (rc)
++ goto out_sysctl;
+ #endif
+
+ nr_loopback_init();
+
+- proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops);
+- proc_create_seq("nr_neigh", 0444, init_net.proc_net, &nr_neigh_seqops);
+- proc_create_seq("nr_nodes", 0444, init_net.proc_net, &nr_node_seqops);
+-out:
+- return rc;
++ rc = -ENOMEM;
++ if (!proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops))
++ goto proc_remove1;
++ if (!proc_create_seq("nr_neigh", 0444, init_net.proc_net,
++ &nr_neigh_seqops))
++ goto proc_remove2;
++ if (!proc_create_seq("nr_nodes", 0444, init_net.proc_net,
++ &nr_node_seqops))
++ goto proc_remove3;
++
++ return 0;
++
++proc_remove3:
++ remove_proc_entry("nr_neigh", init_net.proc_net);
++proc_remove2:
++ remove_proc_entry("nr", init_net.proc_net);
++proc_remove1:
++
++ nr_loopback_clear();
++ nr_rt_free();
++
++#ifdef CONFIG_SYSCTL
++ nr_unregister_sysctl();
++out_sysctl:
++#endif
++ ax25_linkfail_release(&nr_linkfail_notifier);
++ ax25_protocol_release(AX25_P_NETROM);
++ unregister_netdevice_notifier(&nr_dev_notifier);
++out_sock:
++ sock_unregister(PF_NETROM);
+ fail:
+ while (--i >= 0) {
+ unregister_netdev(dev_nr[i]);
+ free_netdev(dev_nr[i]);
+ }
+ kfree(dev_nr);
++unregister_proto:
+ proto_unregister(&nr_proto);
+- rc = -1;
+- goto out;
++ return rc;
+ }
+
+ module_init(nr_proto_init);
+--- a/net/netrom/nr_loopback.c
++++ b/net/netrom/nr_loopback.c
+@@ -70,7 +70,7 @@ static void nr_loopback_timer(struct tim
+ }
+ }
+
+-void __exit nr_loopback_clear(void)
++void nr_loopback_clear(void)
+ {
+ del_timer_sync(&loopback_timer);
+ skb_queue_purge(&loopback_queue);
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -953,7 +953,7 @@ const struct seq_operations nr_neigh_seq
+ /*
+ * Free all memory associated with the nodes and routes lists.
+ */
+-void __exit nr_rt_free(void)
++void nr_rt_free(void)
+ {
+ struct nr_neigh *s = NULL;
+ struct nr_node *t = NULL;
+--- a/net/netrom/sysctl_net_netrom.c
++++ b/net/netrom/sysctl_net_netrom.c
+@@ -146,9 +146,12 @@ static struct ctl_table nr_table[] = {
+ { }
+ };
+
+-void __init nr_register_sysctl(void)
++int __init nr_register_sysctl(void)
+ {
+ nr_table_header = register_net_sysctl(&init_net, "net/netrom", nr_table);
++ if (!nr_table_header)
++ return -ENOMEM;
++ return 0;
+ }
+
+ void nr_unregister_sysctl(void)
--- /dev/null
+From dd3ac9a684358b8c1d5c432ca8322aaf5e4f28ee Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 12 Apr 2019 19:51:52 +0900
+Subject: net/rds: Check address length before reading address family
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit dd3ac9a684358b8c1d5c432ca8322aaf5e4f28ee upstream.
+
+syzbot is reporting uninitialized value at rds_connect() [1] and
+rds_bind() [2]. This is because syzbot is passing ulen == 0 whereas
+these functions expect that it is safe to access sockaddr->family field
+in order to determine minimal address length for validation.
+
+[1] https://syzkaller.appspot.com/bug?id=f4e61c010416c1e6f0fa3ffe247561b60a50ad71
+[2] https://syzkaller.appspot.com/bug?id=a4bf9e41b7e055c3823fdcd83e8c58ca7270e38f
+
+Reported-by: syzbot <syzbot+0049bebbf3042dbd2e8f@syzkaller.appspotmail.com>
+Reported-by: syzbot <syzbot+915c9f99f3dbc4bd6cd1@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/af_rds.c | 3 +++
+ net/rds/bind.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+--- a/net/rds/af_rds.c
++++ b/net/rds/af_rds.c
+@@ -506,6 +506,9 @@ static int rds_connect(struct socket *so
+ struct rds_sock *rs = rds_sk_to_rs(sk);
+ int ret = 0;
+
++ if (addr_len < offsetofend(struct sockaddr, sa_family))
++ return -EINVAL;
++
+ lock_sock(sk);
+
+ switch (uaddr->sa_family) {
+--- a/net/rds/bind.c
++++ b/net/rds/bind.c
+@@ -173,6 +173,8 @@ int rds_bind(struct socket *sock, struct
+ /* We allow an RDS socket to be bound to either IPv4 or IPv6
+ * address.
+ */
++ if (addr_len < offsetofend(struct sockaddr, sa_family))
++ return -EINVAL;
+ if (uaddr->sa_family == AF_INET) {
+ struct sockaddr_in *sin = (struct sockaddr_in *)uaddr;
+
--- /dev/null
+From 7caa56f006e9d712b44f27b32520c66420d5cbc6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 15 Apr 2019 00:43:00 +0200
+Subject: netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7caa56f006e9d712b44f27b32520c66420d5cbc6 upstream.
+
+It means userspace gave us a ruleset where there is some other
+data after the ebtables target but before the beginning of the next rule.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-by: syzbot+659574e7bcc7f7eb4df7@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2032,7 +2032,8 @@ static int ebt_size_mwt(struct compat_eb
+ if (match_kern)
+ match_kern->match_size = ret;
+
+- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
++ /* rule should have no remaining data after target */
++ if (type == EBT_COMPAT_TARGET && size_left)
+ return -EINVAL;
+
+ match32 = (struct compat_ebt_entry_mwt *) buf;
--- /dev/null
+From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 30 Mar 2019 10:21:07 +0900
+Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream.
+
+syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This
+is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family
+(which is embedded into user-visible "struct nfs_mount_data" structure)
+despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6)
+bytes of AF_INET6 address to rpc_sockaddr2uaddr().
+
+Since "struct nfs_mount_data" structure is user-visible, we can't change
+"struct nfs_mount_data" to use "struct sockaddr_storage". Therefore,
+assuming that everybody is using AF_INET family when passing address via
+"struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET.
+
+[1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c
+
+Reported-by: syzbot <syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2041,7 +2041,8 @@ static int nfs23_validate_mount_data(voi
+ memcpy(sap, &data->addr, sizeof(data->addr));
+ args->nfs_server.addrlen = sizeof(data->addr);
+ args->nfs_server.port = ntohs(data->addr.sin_port);
+- if (!nfs_verify_server_address(sap))
++ if (sap->sa_family != AF_INET ||
++ !nfs_verify_server_address(sap))
+ goto out_no_address;
+
+ if (!(data->flags & NFS_MOUNT_TCP))
--- /dev/null
+From 032be5f19a94de51093851757089133dcc1e92aa Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 24 Apr 2019 09:44:11 -0700
+Subject: rxrpc: fix race condition in rxrpc_input_packet()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 032be5f19a94de51093851757089133dcc1e92aa upstream.
+
+After commit 5271953cad31 ("rxrpc: Use the UDP encap_rcv hook"),
+rxrpc_input_packet() is directly called from lockless UDP receive
+path, under rcu_read_lock() protection.
+
+It must therefore use RCU rules :
+
+- udp_sk->sk_user_data can be cleared at any point in this function.
+ rcu_dereference_sk_user_data() is what we need here.
+
+- Also, since sk_user_data might have been set in rxrpc_open_socket()
+ we must observe a proper RCU grace period before kfree(local) in
+ rxrpc_lookup_local()
+
+v4: @local can be NULL in xrpc_lookup_local() as reported by kbuild test robot <lkp@intel.com>
+ and Julia Lawall <julia.lawall@lip6.fr>, thanks !
+
+v3,v2 : addressed David Howells feedback, thanks !
+
+syzbot reported :
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 19236 Comm: syz-executor703 Not tainted 5.1.0-rc6 #79
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__lock_acquire+0xbef/0x3fb0 kernel/locking/lockdep.c:3573
+Code: 00 0f 85 a5 1f 00 00 48 81 c4 10 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 4a 21 00 00 49 81 7d 00 20 54 9c 89 0f 84 cf f4
+RSP: 0018:ffff88809d7aef58 EFLAGS: 00010002
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000026 RSI: 0000000000000000 RDI: 0000000000000001
+RBP: ffff88809d7af090 R08: 0000000000000001 R09: 0000000000000001
+R10: ffffed1015d05bc7 R11: ffff888089428600 R12: 0000000000000000
+R13: 0000000000000130 R14: 0000000000000001 R15: 0000000000000001
+FS: 00007f059044d700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000004b6040 CR3: 00000000955ca000 CR4: 00000000001406f0
+Call Trace:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
+ skb_queue_tail+0x26/0x150 net/core/skbuff.c:2972
+ rxrpc_reject_packet net/rxrpc/input.c:1126 [inline]
+ rxrpc_input_packet+0x4a0/0x5536 net/rxrpc/input.c:1414
+ udp_queue_rcv_one_skb+0xaf2/0x1780 net/ipv4/udp.c:2011
+ udp_queue_rcv_skb+0x128/0x730 net/ipv4/udp.c:2085
+ udp_unicast_rcv_skb.isra.0+0xb9/0x360 net/ipv4/udp.c:2245
+ __udp4_lib_rcv+0x701/0x2ca0 net/ipv4/udp.c:2301
+ udp_rcv+0x22/0x30 net/ipv4/udp.c:2482
+ ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208
+ ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ NF_HOOK include/linux/netfilter.h:283 [inline]
+ ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255
+ dst_input include/net/dst.h:450 [inline]
+ ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:413
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ NF_HOOK include/linux/netfilter.h:283 [inline]
+ ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:523
+ __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4987
+ __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5099
+ netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5202
+ napi_frags_finish net/core/dev.c:5769 [inline]
+ napi_gro_frags+0xade/0xd10 net/core/dev.c:5843
+ tun_get_user+0x2f24/0x3fb0 drivers/net/tun.c:1981
+ tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2027
+ call_write_iter include/linux/fs.h:1866 [inline]
+ do_iter_readv_writev+0x5e1/0x8e0 fs/read_write.c:681
+ do_iter_write fs/read_write.c:957 [inline]
+ do_iter_write+0x184/0x610 fs/read_write.c:938
+ vfs_writev+0x1b3/0x2f0 fs/read_write.c:1002
+ do_writev+0x15e/0x370 fs/read_write.c:1037
+ __do_sys_writev fs/read_write.c:1110 [inline]
+ __se_sys_writev fs/read_write.c:1107 [inline]
+ __x64_sys_writev+0x75/0xb0 fs/read_write.c:1107
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 5271953cad31 ("rxrpc: Use the UDP encap_rcv hook")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rxrpc/input.c | 12 ++++++++----
+ net/rxrpc/local_object.c | 3 ++-
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -1155,19 +1155,19 @@ int rxrpc_extract_header(struct rxrpc_sk
+ * handle data received on the local endpoint
+ * - may be called in interrupt context
+ *
+- * The socket is locked by the caller and this prevents the socket from being
+- * shut down and the local endpoint from going away, thus sk_user_data will not
+- * be cleared until this function returns.
++ * [!] Note that as this is called from the encap_rcv hook, the socket is not
++ * held locked by the caller and nothing prevents sk_user_data on the UDP from
++ * being cleared in the middle of processing this function.
+ *
+ * Called with the RCU read lock held from the IP layer via UDP.
+ */
+ int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb)
+ {
++ struct rxrpc_local *local = rcu_dereference_sk_user_data(udp_sk);
+ struct rxrpc_connection *conn;
+ struct rxrpc_channel *chan;
+ struct rxrpc_call *call = NULL;
+ struct rxrpc_skb_priv *sp;
+- struct rxrpc_local *local = udp_sk->sk_user_data;
+ struct rxrpc_peer *peer = NULL;
+ struct rxrpc_sock *rx = NULL;
+ unsigned int channel;
+@@ -1175,6 +1175,10 @@ int rxrpc_input_packet(struct sock *udp_
+
+ _enter("%p", udp_sk);
+
++ if (unlikely(!local)) {
++ kfree_skb(skb);
++ return 0;
++ }
+ if (skb->tstamp == 0)
+ skb->tstamp = ktime_get_real();
+
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -304,7 +304,8 @@ nomem:
+ ret = -ENOMEM;
+ sock_error:
+ mutex_unlock(&rxnet->local_mutex);
+- kfree(local);
++ if (local)
++ call_rcu(&local->rcu, rxrpc_local_rcu);
+ _leave(" = %d", ret);
+ return ERR_PTR(ret);
+
workqueue-try-to-catch-flush_work-without-init_work.patch
binder-fix-handling-of-misaligned-binder-object.patch
sched-deadline-correctly-handle-active-0-lag-timers.patch
+mac80211_hwsim-calculate-if_combination.max_interfaces.patch
+nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch
+netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch
+fm10k-fix-a-potential-null-pointer-dereference.patch
+tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch
+tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch
+net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch
+net-rds-check-address-length-before-reading-address-family.patch
+rxrpc-fix-race-condition-in-rxrpc_input_packet.patch
--- /dev/null
+From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:08 +0800
+Subject: tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 6f07e5f06c8712acc423485f657799fc8e11e56c upstream.
+
+Syzbot reported the following crash:
+
+BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961
+ memchr+0xce/0x110 lib/string.c:961
+ string_is_valid net/tipc/netlink_compat.c:176 [inline]
+ tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401
+ __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline]
+ tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline]
+ tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265
+ genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
+ genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+Uninit was created at:
+ __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
+ alloc_skb include/linux/skbuff.h:1012 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME,
+it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which
+also includes priority and disc_domain length.
+
+This patch is to fix it by checking it with a right length:
+'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'.
+
+Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/netlink_compat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -403,7 +403,12 @@ static int tipc_nl_compat_bearer_enable(
+ if (!bearer)
+ return -EMSGSIZE;
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ len -= offsetof(struct tipc_bearer_config, name);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(b->name, len))
+ return -EINVAL;
+
--- /dev/null
+From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:09 +0800
+Subject: tipc: check link name with right length in tipc_nl_compat_link_set
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream.
+
+A similar issue as fixed by Patch "tipc: check bearer name with right
+length in tipc_nl_compat_bearer_enable" was also found by syzbot in
+tipc_nl_compat_link_set().
+
+The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
+offsetof(struct tipc_link_config, name)'.
+
+Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/netlink_compat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -777,7 +777,12 @@ static int tipc_nl_compat_link_set(struc
+
+ lc = (struct tipc_link_config *)TLV_DATA(msg->req);
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ len -= offsetof(struct tipc_link_config, name);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(lc->name, len))
+ return -EINVAL;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
