--- /dev/null
+From 5c9934b6767b16ba60be22ec3cbd4379ad64170d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 12 Dec 2019 10:32:13 -0800
+Subject: 6pack,mkiss: fix possible deadlock
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d upstream.
+
+We got another syzbot report [1] that tells us we must use
+write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
+
+[1]
+
+WARNING: inconsistent lock state
+5.5.0-rc1-syzkaller #0 Not tainted
+--------------------------------
+inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
+syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
+ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
+{HARDIRQ-ON-W} state was registered at:
+ lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
+ __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
+ _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
+ sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
+ tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
+ tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
+ tiocsetd drivers/tty/tty_io.c:2337 [inline]
+ tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ file_ioctl fs/ioctl.c:545 [inline]
+ do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
+ __do_sys_ioctl fs/ioctl.c:756 [inline]
+ __se_sys_ioctl fs/ioctl.c:754 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+irq event stamp: 3946
+hardirqs last enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
+hardirqs last enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
+hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
+softirqs last enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
+softirqs last enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
+softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
+softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(disc_data_lock);
+ <Interrupt>
+ lock(disc_data_lock);
+
+ *** DEADLOCK ***
+
+5 locks held by syz-executor826/9605:
+ #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
+ #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
+ #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
+ #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
+ #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
+ #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
+
+stack backtrace:
+CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
+ valid_state kernel/locking/lockdep.c:3112 [inline]
+ mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
+ mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
+ mark_usage kernel/locking/lockdep.c:3554 [inline]
+ __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
+ lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
+ __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
+ _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
+ sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
+ sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
+ tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
+ tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
+ tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
+ uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
+ serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
+ serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
+ serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
+ serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
+ serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
+ __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
+ handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
+ handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
+ handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
+ generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
+ do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
+ common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
+ </IRQ>
+RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
+RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
+Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
+RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
+RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
+RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
+RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
+R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
+R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
+ mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
+ __mutex_lock_common kernel/locking/mutex.c:962 [inline]
+ __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
+ tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
+ tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
+ __fput+0x2ff/0x890 fs/file_table.c:280
+ ____fput+0x16/0x20 fs/file_table.c:313
+ task_work_run+0x145/0x1c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x8e7/0x2ef0 kernel/exit.c:797
+ do_group_exit+0x135/0x360 kernel/exit.c:895
+ __do_sys_exit_group kernel/exit.c:906 [inline]
+ __se_sys_exit_group kernel/exit.c:904 [inline]
+ __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x43fef8
+Code: Bad RIP value.
+RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
+RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
+RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
+R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
+R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/hamradio/6pack.c | 4 ++--
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -654,10 +654,10 @@ static void sixpack_close(struct tty_str
+ {
+ struct sixpack *sp;
+
+- write_lock_bh(&disc_data_lock);
++ write_lock_irq(&disc_data_lock);
+ sp = tty->disc_data;
+ tty->disc_data = NULL;
+- write_unlock_bh(&disc_data_lock);
++ write_unlock_irq(&disc_data_lock);
+ if (!sp)
+ return;
+
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -773,10 +773,10 @@ static void mkiss_close(struct tty_struc
+ {
+ struct mkiss *ax;
+
+- write_lock_bh(&disc_data_lock);
++ write_lock_irq(&disc_data_lock);
+ ax = tty->disc_data;
+ tty->disc_data = NULL;
+- write_unlock_bh(&disc_data_lock);
++ write_unlock_irq(&disc_data_lock);
+
+ if (!ax)
+ return;
--- /dev/null
+From 5bf8bec3f4ce044a223c40cbce92590d938f0e9c Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Wed, 4 Dec 2019 16:52:37 -0800
+Subject: drm: limit to INT_MAX in create_blob ioctl
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c upstream.
+
+The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb
+("uaccess: disallow > INT_MAX copy sizes")
+
+Code itself should have been fine as-is.
+
+Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
+Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_property.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_property.c
++++ b/drivers/gpu/drm/drm_property.c
+@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_devi
+ struct drm_property_blob *blob;
+ int ret;
+
+- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
++ if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
+ return ERR_PTR(-EINVAL);
+
+ blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
--- /dev/null
+From 56144737e67329c9aaed15f942d46a6302e2e3d8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 6 Nov 2019 09:48:04 -0800
+Subject: hrtimer: Annotate lockless access to timer->state
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 56144737e67329c9aaed15f942d46a6302e2e3d8 upstream.
+
+syzbot reported various data-race caused by hrtimer_is_queued() reading
+timer->state. A READ_ONCE() is required there to silence the warning.
+
+Also add the corresponding WRITE_ONCE() when timer->state is set.
+
+In remove_hrtimer() the hrtimer_is_queued() helper is open coded to avoid
+loading timer->state twice.
+
+KCSAN reported these cases:
+
+BUG: KCSAN: data-race in __remove_hrtimer / tcp_pacing_check
+
+write to 0xffff8880b2a7d388 of 1 bytes by interrupt on cpu 0:
+ __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
+ __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
+ __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
+ hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
+ smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+read to 0xffff8880b2a7d388 of 1 bytes by task 24652 on cpu 1:
+ tcp_pacing_check net/ipv4/tcp_output.c:2235 [inline]
+ tcp_pacing_check+0xba/0x130 net/ipv4/tcp_output.c:2225
+ tcp_xmit_retransmit_queue+0x32c/0x5a0 net/ipv4/tcp_output.c:3044
+ tcp_xmit_recovery+0x7c/0x120 net/ipv4/tcp_input.c:3558
+ tcp_ack+0x17b6/0x3170 net/ipv4/tcp_input.c:3717
+ tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696
+ tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
+ sk_backlog_rcv include/net/sock.h:945 [inline]
+ __release_sock+0x135/0x1e0 net/core/sock.c:2435
+ release_sock+0x61/0x160 net/core/sock.c:2951
+ sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
+ tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
+ tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
+ inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0x9f/0xc0 net/socket.c:657
+
+BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check
+
+write to 0xffff8880a3a65588 of 1 bytes by interrupt on cpu 0:
+ __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
+ __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
+ __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
+ hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0xbb/0xe0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
+
+read to 0xffff8880a3a65588 of 1 bytes by task 22891 on cpu 1:
+ __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5265
+ tcp_ack_snd_check net/ipv4/tcp_input.c:5287 [inline]
+ tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5708
+ tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
+ sk_backlog_rcv include/net/sock.h:945 [inline]
+ __release_sock+0x135/0x1e0 net/core/sock.c:2435
+ release_sock+0x61/0x160 net/core/sock.c:2951
+ sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
+ tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
+ tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
+ inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0x9f/0xc0 net/socket.c:657
+ __sys_sendto+0x21f/0x320 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto net/socket.c:1960 [inline]
+ __x64_sys_sendto+0x89/0xb0 net/socket.c:1960
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 24652 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+[ tglx: Added comments ]
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20191106174804.74723-1-edumazet@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/hrtimer.h | 14 ++++++++++----
+ kernel/time/hrtimer.c | 11 +++++++----
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -456,12 +456,18 @@ extern u64 hrtimer_next_event_without(co
+
+ extern bool hrtimer_active(const struct hrtimer *timer);
+
+-/*
+- * Helper function to check, whether the timer is on one of the queues
++/**
++ * hrtimer_is_queued = check, whether the timer is on one of the queues
++ * @timer: Timer to check
++ *
++ * Returns: True if the timer is queued, false otherwise
++ *
++ * The function can be used lockless, but it gives only a current snapshot.
+ */
+-static inline int hrtimer_is_queued(struct hrtimer *timer)
++static inline bool hrtimer_is_queued(struct hrtimer *timer)
+ {
+- return timer->state & HRTIMER_STATE_ENQUEUED;
++ /* The READ_ONCE pairs with the update functions of timer->state */
++ return !!(READ_ONCE(timer->state) & HRTIMER_STATE_ENQUEUED);
+ }
+
+ /*
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -966,7 +966,8 @@ static int enqueue_hrtimer(struct hrtime
+
+ base->cpu_base->active_bases |= 1 << base->index;
+
+- timer->state = HRTIMER_STATE_ENQUEUED;
++ /* Pairs with the lockless read in hrtimer_is_queued() */
++ WRITE_ONCE(timer->state, HRTIMER_STATE_ENQUEUED);
+
+ return timerqueue_add(&base->active, &timer->node);
+ }
+@@ -988,7 +989,8 @@ static void __remove_hrtimer(struct hrti
+ struct hrtimer_cpu_base *cpu_base = base->cpu_base;
+ u8 state = timer->state;
+
+- timer->state = newstate;
++ /* Pairs with the lockless read in hrtimer_is_queued() */
++ WRITE_ONCE(timer->state, newstate);
+ if (!(state & HRTIMER_STATE_ENQUEUED))
+ return;
+
+@@ -1013,8 +1015,9 @@ static void __remove_hrtimer(struct hrti
+ static inline int
+ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool restart)
+ {
+- if (hrtimer_is_queued(timer)) {
+- u8 state = timer->state;
++ u8 state = timer->state;
++
++ if (state & HRTIMER_STATE_ENQUEUED) {
+ int reprogram;
+
+ /*
--- /dev/null
+From 71685eb4ce80ae9c49eff82ca4dd15acab215de9 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 7 Nov 2019 10:30:42 -0800
+Subject: inetpeer: fix data-race in inet_putpeer / inet_putpeer
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 71685eb4ce80ae9c49eff82ca4dd15acab215de9 upstream.
+
+We need to explicitely forbid read/store tearing in inet_peer_gc()
+and inet_putpeer().
+
+The following syzbot report reminds us about inet_putpeer()
+running without a lock held.
+
+BUG: KCSAN: data-race in inet_putpeer / inet_putpeer
+
+write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 0:
+ inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240
+ ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102
+ inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228
+ __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
+ rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157
+ rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377
+ rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0xbb/0xe0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
+ native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
+ arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
+ default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
+ cpuidle_idle_call kernel/sched/idle.c:154 [inline]
+ do_idle+0x1af/0x280 kernel/sched/idle.c:263
+
+write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 1:
+ inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240
+ ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102
+ inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228
+ __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
+ rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157
+ rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377
+ rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
+ smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 4b9d9be839fd ("inetpeer: remove unused list")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/inetpeer.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -160,7 +160,12 @@ static void inet_peer_gc(struct inet_pee
+ base->total / inet_peer_threshold * HZ;
+ for (i = 0; i < gc_cnt; i++) {
+ p = gc_stack[i];
+- delta = (__u32)jiffies - p->dtime;
++
++ /* The READ_ONCE() pairs with the WRITE_ONCE()
++ * in inet_putpeer()
++ */
++ delta = (__u32)jiffies - READ_ONCE(p->dtime);
++
+ if (delta < ttl || !refcount_dec_if_one(&p->refcnt))
+ gc_stack[i] = NULL;
+ }
+@@ -237,7 +242,10 @@ EXPORT_SYMBOL_GPL(inet_getpeer);
+
+ void inet_putpeer(struct inet_peer *p)
+ {
+- p->dtime = (__u32)jiffies;
++ /* The WRITE_ONCE() pairs with itself (we run lockless)
++ * and the READ_ONCE() in inet_peer_gc()
++ */
++ WRITE_ONCE(p->dtime, (__u32)jiffies);
+
+ if (refcount_dec_and_test(&p->refcnt))
+ call_rcu(&p->rcu, inetpeer_free_rcu);
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/md/md.c | 1 +
+ drivers/md/md.c | 1 +
1 file changed, 1 insertion(+)
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 805b33e27496..4e7c9f398bc6 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
-@@ -1159,6 +1159,7 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor
+@@ -1159,6 +1159,7 @@ static int super_90_load(struct md_rdev
/* not spare disk, or LEVEL_MULTIPATH */
if (sb->level == LEVEL_MULTIPATH ||
(rdev->desc_nr >= 0 &&
sb->disks[rdev->desc_nr].state &
((1<<MD_DISK_SYNC) | (1 << MD_DISK_ACTIVE))))
spare_disk = false;
---
-2.20.1
-
--- /dev/null
+From f8cc62ca3e660ae3fdaee533b1d554297cd2ae82 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 7 Nov 2019 18:49:43 -0800
+Subject: net: add a READ_ONCE() in skb_peek_tail()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit f8cc62ca3e660ae3fdaee533b1d554297cd2ae82 upstream.
+
+skb_peek_tail() can be used without protection of a lock,
+as spotted by KCSAN [1]
+
+In order to avoid load-stearing, add a READ_ONCE()
+
+Note that the corresponding WRITE_ONCE() are already there.
+
+[1]
+BUG: KCSAN: data-race in sk_wait_data / skb_queue_tail
+
+read to 0xffff8880b36a4118 of 8 bytes by task 20426 on cpu 1:
+ skb_peek_tail include/linux/skbuff.h:1784 [inline]
+ sk_wait_data+0x15b/0x250 net/core/sock.c:2477
+ kcm_wait_data+0x112/0x1f0 net/kcm/kcmsock.c:1103
+ kcm_recvmsg+0xac/0x320 net/kcm/kcmsock.c:1130
+ sock_recvmsg_nosec net/socket.c:871 [inline]
+ sock_recvmsg net/socket.c:889 [inline]
+ sock_recvmsg+0x92/0xb0 net/socket.c:885
+ ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480
+ do_recvmmsg+0x19a/0x5c0 net/socket.c:2601
+ __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680
+ __do_sys_recvmmsg net/socket.c:2703 [inline]
+ __se_sys_recvmmsg net/socket.c:2696 [inline]
+ __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+write to 0xffff8880b36a4118 of 8 bytes by task 451 on cpu 0:
+ __skb_insert include/linux/skbuff.h:1852 [inline]
+ __skb_queue_before include/linux/skbuff.h:1958 [inline]
+ __skb_queue_tail include/linux/skbuff.h:1991 [inline]
+ skb_queue_tail+0x7e/0xc0 net/core/skbuff.c:3145
+ kcm_queue_rcv_skb+0x202/0x310 net/kcm/kcmsock.c:206
+ kcm_rcv_strparser+0x74/0x4b0 net/kcm/kcmsock.c:370
+ __strp_recv+0x348/0xf50 net/strparser/strparser.c:309
+ strp_recv+0x84/0xa0 net/strparser/strparser.c:343
+ tcp_read_sock+0x174/0x5c0 net/ipv4/tcp.c:1639
+ strp_read_sock+0xd4/0x140 net/strparser/strparser.c:366
+ do_strp_work net/strparser/strparser.c:414 [inline]
+ strp_work+0x9a/0xe0 net/strparser/strparser.c:423
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 451 Comm: kworker/u4:3 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: kstrp strp_work
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/skbuff.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1795,7 +1795,7 @@ static inline struct sk_buff *skb_peek_n
+ */
+ static inline struct sk_buff *skb_peek_tail(const struct sk_buff_head *list_)
+ {
+- struct sk_buff *skb = list_->prev;
++ struct sk_buff *skb = READ_ONCE(list_->prev);
+
+ if (skb == (struct sk_buff *)list_)
+ skb = NULL;
+@@ -1861,7 +1861,9 @@ static inline void __skb_insert(struct s
+ struct sk_buff *prev, struct sk_buff *next,
+ struct sk_buff_head *list)
+ {
+- /* see skb_queue_empty_lockless() for the opposite READ_ONCE() */
++ /* See skb_queue_empty_lockless() and skb_peek_tail()
++ * for the opposite READ_ONCE()
++ */
+ WRITE_ONCE(newsk->next, next);
+ WRITE_ONCE(newsk->prev, prev);
+ WRITE_ONCE(next->prev, newsk);
--- /dev/null
+From bbab7ef235031f6733b5429ae7877bfa22339712 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 8 Nov 2019 10:34:47 -0800
+Subject: net: icmp: fix data-race in cmp_global_allow()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit bbab7ef235031f6733b5429ae7877bfa22339712 upstream.
+
+This code reads two global variables without protection
+of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to
+avoid load/store-tearing and better document the intent.
+
+KCSAN reported :
+BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow
+
+read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0:
+ icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254
+ icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
+ icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
+ icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
+ icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
+ ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
+ dst_link_failure include/net/dst.h:419 [inline]
+ vti_xmit net/ipv4/ip_vti.c:243 [inline]
+ vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
+ __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4434 [inline]
+ xmit_one net/core/dev.c:3280 [inline]
+ dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
+ __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
+ dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
+ neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+ dst_output include/net/dst.h:436 [inline]
+ ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
+
+write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1:
+ icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272
+ icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
+ icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
+ icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
+ icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
+ ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
+ dst_link_failure include/net/dst.h:419 [inline]
+ vti_xmit net/ipv4/ip_vti.c:243 [inline]
+ vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
+ __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4434 [inline]
+ xmit_one net/core/dev.c:3280 [inline]
+ dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
+ __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
+ dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
+ neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/icmp.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -249,10 +249,11 @@ bool icmp_global_allow(void)
+ bool rc = false;
+
+ /* Check if token bucket is empty and cannot be refilled
+- * without taking the spinlock.
++ * without taking the spinlock. The READ_ONCE() are paired
++ * with the following WRITE_ONCE() in this same function.
+ */
+- if (!icmp_global.credit) {
+- delta = min_t(u32, now - icmp_global.stamp, HZ);
++ if (!READ_ONCE(icmp_global.credit)) {
++ delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ);
+ if (delta < HZ / 50)
+ return false;
+ }
+@@ -262,14 +263,14 @@ bool icmp_global_allow(void)
+ if (delta >= HZ / 50) {
+ incr = sysctl_icmp_msgs_per_sec * delta / HZ ;
+ if (incr)
+- icmp_global.stamp = now;
++ WRITE_ONCE(icmp_global.stamp, now);
+ }
+ credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst);
+ if (credit) {
+ credit--;
+ rc = true;
+ }
+- icmp_global.credit = credit;
++ WRITE_ONCE(icmp_global.credit, credit);
+ spin_unlock(&icmp_global.lock);
+ return rc;
+ }
--- /dev/null
+From 86434744fedf0cfe07a9eee3f4632c0e25c1d136 Mon Sep 17 00:00:00 2001
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Thu, 12 Dec 2019 22:35:58 +0100
+Subject: net/smc: add fallback check to connect()
+
+From: Ursula Braun <ubraun@linux.ibm.com>
+
+commit 86434744fedf0cfe07a9eee3f4632c0e25c1d136 upstream.
+
+FASTOPEN setsockopt() or sendmsg() may switch the SMC socket to fallback
+mode. Once fallback mode is active, the native TCP socket functions are
+called. Nevertheless there is a small race window, when FASTOPEN
+setsockopt/sendmsg runs in parallel to a connect(), and switch the
+socket into fallback mode before connect() takes the sock lock.
+Make sure the SMC-specific connect setup is omitted in this case.
+
+This way a syzbot-reported refcount problem is fixed, triggered by
+different threads running non-blocking connect() and FASTOPEN_KEY
+setsockopt.
+
+Reported-by: syzbot+96d3f9ff6a86d37e44c8@syzkaller.appspotmail.com
+Fixes: 6d6dd528d5af ("net/smc: fix refcount non-blocking connect() -part 2")
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/smc/af_smc.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -854,6 +854,8 @@ static int smc_connect(struct socket *so
+ goto out;
+
+ sock_hold(&smc->sk); /* sock put in passive closing */
++ if (smc->use_fallback)
++ goto out;
+ if (flags & O_NONBLOCK) {
+ if (schedule_work(&smc->connect_work))
+ smc->connect_nonblock = 1;
+@@ -1716,8 +1718,6 @@ static int smc_setsockopt(struct socket
+ sk->sk_err = smc->clcsock->sk->sk_err;
+ sk->sk_error_report(sk);
+ }
+- if (rc)
+- return rc;
+
+ if (optlen < sizeof(int))
+ return -EINVAL;
+@@ -1725,6 +1725,8 @@ static int smc_setsockopt(struct socket
+ return -EFAULT;
+
+ lock_sock(sk);
++ if (rc || smc->use_fallback)
++ goto out;
+ switch (optname) {
+ case TCP_ULP:
+ case TCP_FASTOPEN:
+@@ -1736,15 +1738,14 @@ static int smc_setsockopt(struct socket
+ smc_switch_to_fallback(smc);
+ smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP;
+ } else {
+- if (!smc->use_fallback)
+- rc = -EINVAL;
++ rc = -EINVAL;
+ }
+ break;
+ case TCP_NODELAY:
+ if (sk->sk_state != SMC_INIT &&
+ sk->sk_state != SMC_LISTEN &&
+ sk->sk_state != SMC_CLOSED) {
+- if (val && !smc->use_fallback)
++ if (val)
+ mod_delayed_work(system_wq, &smc->conn.tx_work,
+ 0);
+ }
+@@ -1753,7 +1754,7 @@ static int smc_setsockopt(struct socket
+ if (sk->sk_state != SMC_INIT &&
+ sk->sk_state != SMC_LISTEN &&
+ sk->sk_state != SMC_CLOSED) {
+- if (!val && !smc->use_fallback)
++ if (!val)
+ mod_delayed_work(system_wq, &smc->conn.tx_work,
+ 0);
+ }
+@@ -1764,6 +1765,7 @@ static int smc_setsockopt(struct socket
+ default:
+ break;
+ }
++out:
+ release_sock(sk);
+
+ return rc;
--- /dev/null
+From 5604285839aaedfb23ebe297799c6e558939334d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Dec 2019 14:43:39 -0800
+Subject: netfilter: bridge: make sure to pull arp header in br_nf_forward_arp()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 5604285839aaedfb23ebe297799c6e558939334d upstream.
+
+syzbot is kind enough to remind us we need to call skb_may_pull()
+
+BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
+CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
+ __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
+ br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
+ nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
+ nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
+ nf_hook include/linux/netfilter.h:260 [inline]
+ NF_HOOK include/linux/netfilter.h:303 [inline]
+ __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
+ br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
+ br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
+ nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
+ br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
+ __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
+ __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
+ __netif_receive_skb net/core/dev.c:5043 [inline]
+ process_backlog+0x610/0x13c0 net/core/dev.c:5874
+ napi_poll net/core/dev.c:6311 [inline]
+ net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
+ __do_softirq+0x4a1/0x83a kernel/softirq.c:293
+ do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
+ </IRQ>
+ do_softirq kernel/softirq.c:338 [inline]
+ __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
+ local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
+ rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
+ __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
+ packet_snd net/packet/af_packet.c:2959 [inline]
+ packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ __sys_sendto+0xc44/0xc70 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1960
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45a679
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
+RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
+R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
+ kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
+ kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
+ slab_alloc_node mm/slub.c:2773 [inline]
+ __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
+ __kmalloc_reserve net/core/skbuff.c:141 [inline]
+ __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
+ alloc_skb include/linux/skbuff.h:1049 [inline]
+ alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
+ sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
+ packet_alloc_skb net/packet/af_packet.c:2807 [inline]
+ packet_snd net/packet/af_packet.c:2902 [inline]
+ packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ __sys_sendto+0xc44/0xc70 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1960
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/br_netfilter_hooks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -662,6 +662,9 @@ static unsigned int br_nf_forward_arp(vo
+ nf_bridge_pull_encap_header(skb);
+ }
+
++ if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
++ return NF_DROP;
++
+ if (arp_hdr(skb)->ar_pln != 4) {
+ if (is_vlan_arp(skb, state->net))
+ nf_bridge_push_encap_header(skb);
--- /dev/null
+From e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 15 Dec 2019 03:49:25 +0100
+Subject: netfilter: ebtables: compat: reject all padding in matches/watchers
+
+From: Florian Westphal <fw@strlen.de>
+
+commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe upstream.
+
+syzbot reported following splat:
+
+BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
+BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
+Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
+
+CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
+ compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
+ compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
+ compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
+ [..]
+
+Because padding isn't considered during computation of ->buf_user_offset,
+"total" is decremented by fewer bytes than it should.
+
+Therefore, the first part of
+
+if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
+
+will pass, -- it should not have. This causes oob access:
+entry->next_offset is past the vmalloced size.
+
+Reject padding and check that computed user offset (sum of ebt_entry
+structure plus all individual matches/watchers/targets) is same
+value that userspace gave us as the offset of the next entry.
+
+Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1867,7 +1867,7 @@ static int ebt_buf_count(struct ebt_entr
+ }
+
+ static int ebt_buf_add(struct ebt_entries_buf_state *state,
+- void *data, unsigned int sz)
++ const void *data, unsigned int sz)
+ {
+ if (state->buf_kern_start == NULL)
+ goto count_only;
+@@ -1901,7 +1901,7 @@ enum compat_mwt {
+ EBT_COMPAT_TARGET,
+ };
+
+-static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
++static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
+ enum compat_mwt compat_mwt,
+ struct ebt_entries_buf_state *state,
+ const unsigned char *base)
+@@ -1979,22 +1979,23 @@ static int compat_mtw_from_user(struct c
+ /* return size of all matches, watchers or target, including necessary
+ * alignment and padding.
+ */
+-static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
++static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32,
+ unsigned int size_left, enum compat_mwt type,
+ struct ebt_entries_buf_state *state, const void *base)
+ {
++ const char *buf = (const char *)match32;
+ int growth = 0;
+- char *buf;
+
+ if (size_left == 0)
+ return 0;
+
+- buf = (char *) match32;
+-
+- while (size_left >= sizeof(*match32)) {
++ do {
+ struct ebt_entry_match *match_kern;
+ int ret;
+
++ if (size_left < sizeof(*match32))
++ return -EINVAL;
++
+ match_kern = (struct ebt_entry_match *) state->buf_kern_start;
+ if (match_kern) {
+ char *tmp;
+@@ -2031,22 +2032,18 @@ static int ebt_size_mwt(struct compat_eb
+ if (match_kern)
+ match_kern->match_size = ret;
+
+- /* rule should have no remaining data after target */
+- if (type == EBT_COMPAT_TARGET && size_left)
+- return -EINVAL;
+-
+ match32 = (struct compat_ebt_entry_mwt *) buf;
+- }
++ } while (size_left);
+
+ return growth;
+ }
+
+ /* called for all ebt_entry structures. */
+-static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
++static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base,
+ unsigned int *total,
+ struct ebt_entries_buf_state *state)
+ {
+- unsigned int i, j, startoff, new_offset = 0;
++ unsigned int i, j, startoff, next_expected_off, new_offset = 0;
+ /* stores match/watchers/targets & offset of next struct ebt_entry: */
+ unsigned int offsets[4];
+ unsigned int *offsets_update = NULL;
+@@ -2132,11 +2129,13 @@ static int size_entry_mwt(struct ebt_ent
+ return ret;
+ }
+
+- startoff = state->buf_user_offset - startoff;
++ next_expected_off = state->buf_user_offset - startoff;
++ if (next_expected_off != entry->next_offset)
++ return -EINVAL;
+
+- if (WARN_ON(*total < startoff))
++ if (*total < entry->next_offset)
+ return -EINVAL;
+- *total -= startoff;
++ *total -= entry->next_offset;
+ return 0;
+ }
+
--- /dev/null
+From 61e3acd8c693a14fc69b824cb5b08d02cb90a6e7 Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <ajd@linux.ibm.com>
+Date: Tue, 10 Dec 2019 00:22:21 +1100
+Subject: powerpc: Fix __clear_user() with KUAP enabled
+
+From: Andrew Donnellan <ajd@linux.ibm.com>
+
+commit 61e3acd8c693a14fc69b824cb5b08d02cb90a6e7 upstream.
+
+The KUAP implementation adds calls in clear_user() to enable and
+disable access to userspace memory. However, it doesn't add these to
+__clear_user(), which is used in the ptrace regset code.
+
+As there's only one direct user of __clear_user() (the regset code),
+and the time taken to set the AMR for KUAP purposes is going to
+dominate the cost of a quick access_ok(), there's not much point
+having a separate path.
+
+Rename __clear_user() to __arch_clear_user(), and make __clear_user()
+just call clear_user().
+
+Reported-by: syzbot+f25ecf4b2982d8c7a640@syzkaller-ppc64.appspotmail.com
+Reported-by: Daniel Axtens <dja@axtens.net>
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection")
+Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
+[mpe: Use __arch_clear_user() for the asm version like arm64 & nds32]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191209132221.15328-1-ajd@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/uaccess.h | 9 +++++++--
+ arch/powerpc/lib/string_32.S | 4 ++--
+ arch/powerpc/lib/string_64.S | 6 +++---
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -401,7 +401,7 @@ copy_to_user_mcsafe(void __user *to, con
+ return n;
+ }
+
+-extern unsigned long __clear_user(void __user *addr, unsigned long size);
++unsigned long __arch_clear_user(void __user *addr, unsigned long size);
+
+ static inline unsigned long clear_user(void __user *addr, unsigned long size)
+ {
+@@ -409,12 +409,17 @@ static inline unsigned long clear_user(v
+ might_fault();
+ if (likely(access_ok(addr, size))) {
+ allow_write_to_user(addr, size);
+- ret = __clear_user(addr, size);
++ ret = __arch_clear_user(addr, size);
+ prevent_write_to_user(addr, size);
+ }
+ return ret;
+ }
+
++static inline unsigned long __clear_user(void __user *addr, unsigned long size)
++{
++ return clear_user(addr, size);
++}
++
+ extern long strncpy_from_user(char *dst, const char __user *src, long count);
+ extern __must_check long strnlen_user(const char __user *str, long n);
+
+--- a/arch/powerpc/lib/string_32.S
++++ b/arch/powerpc/lib/string_32.S
+@@ -17,7 +17,7 @@ CACHELINE_BYTES = L1_CACHE_BYTES
+ LG_CACHELINE_BYTES = L1_CACHE_SHIFT
+ CACHELINE_MASK = (L1_CACHE_BYTES-1)
+
+-_GLOBAL(__clear_user)
++_GLOBAL(__arch_clear_user)
+ /*
+ * Use dcbz on the complete cache lines in the destination
+ * to set them to zero. This requires that the destination
+@@ -87,4 +87,4 @@ _GLOBAL(__clear_user)
+ EX_TABLE(8b, 91b)
+ EX_TABLE(9b, 91b)
+
+-EXPORT_SYMBOL(__clear_user)
++EXPORT_SYMBOL(__arch_clear_user)
+--- a/arch/powerpc/lib/string_64.S
++++ b/arch/powerpc/lib/string_64.S
+@@ -17,7 +17,7 @@ PPC64_CACHES:
+ .section ".text"
+
+ /**
+- * __clear_user: - Zero a block of memory in user space, with less checking.
++ * __arch_clear_user: - Zero a block of memory in user space, with less checking.
+ * @to: Destination address, in user space.
+ * @n: Number of bytes to zero.
+ *
+@@ -58,7 +58,7 @@ err3; stb r0,0(r3)
+ mr r3,r4
+ blr
+
+-_GLOBAL_TOC(__clear_user)
++_GLOBAL_TOC(__arch_clear_user)
+ cmpdi r4,32
+ neg r6,r3
+ li r0,0
+@@ -181,4 +181,4 @@ err1; dcbz 0,r3
+ cmpdi r4,32
+ blt .Lshort_clear
+ b .Lmedium_clear
+-EXPORT_SYMBOL(__clear_user)
++EXPORT_SYMBOL(__arch_clear_user)
--- /dev/null
+From db5cce1afc8d2475d2c1c37c2a8267dd0e151526 Mon Sep 17 00:00:00 2001
+From: Anders Kaseorg <andersk@mit.edu>
+Date: Mon, 2 Dec 2019 17:09:20 -0500
+Subject: Revert "iwlwifi: assign directly to iwl_trans->cfg in QuZ detection"
+
+From: Anders Kaseorg <andersk@mit.edu>
+
+commit db5cce1afc8d2475d2c1c37c2a8267dd0e151526 upstream.
+
+This reverts commit 968dcfb4905245dc64d65312c0d17692fa087b99.
+
+Both that commit and commit 809805a820c6445f7a701ded24fdc6bbc841d1e4
+attempted to fix the same bug (dead assignments to the local variable
+cfg), but they did so in incompatible ways. When they were both merged,
+independently of each other, the combination actually caused the bug to
+reappear, leading to a firmware crash on boot for some cards.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=205719
+
+Signed-off-by: Anders Kaseorg <andersk@mit.edu>
+Acked-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -1111,18 +1111,18 @@ static int iwl_pci_probe(struct pci_dev
+
+ /* same thing for QuZ... */
+ if (iwl_trans->hw_rev == CSR_HW_REV_TYPE_QUZ) {
+- if (iwl_trans->cfg == &iwl_ax101_cfg_qu_hr)
+- iwl_trans->cfg = &iwl_ax101_cfg_quz_hr;
+- else if (iwl_trans->cfg == &iwl_ax201_cfg_qu_hr)
+- iwl_trans->cfg = &iwl_ax201_cfg_quz_hr;
+- else if (iwl_trans->cfg == &iwl9461_2ac_cfg_qu_b0_jf_b0)
+- iwl_trans->cfg = &iwl9461_2ac_cfg_quz_a0_jf_b0_soc;
+- else if (iwl_trans->cfg == &iwl9462_2ac_cfg_qu_b0_jf_b0)
+- iwl_trans->cfg = &iwl9462_2ac_cfg_quz_a0_jf_b0_soc;
+- else if (iwl_trans->cfg == &iwl9560_2ac_cfg_qu_b0_jf_b0)
+- iwl_trans->cfg = &iwl9560_2ac_cfg_quz_a0_jf_b0_soc;
+- else if (iwl_trans->cfg == &iwl9560_2ac_160_cfg_qu_b0_jf_b0)
+- iwl_trans->cfg = &iwl9560_2ac_160_cfg_quz_a0_jf_b0_soc;
++ if (cfg == &iwl_ax101_cfg_qu_hr)
++ cfg = &iwl_ax101_cfg_quz_hr;
++ else if (cfg == &iwl_ax201_cfg_qu_hr)
++ cfg = &iwl_ax201_cfg_quz_hr;
++ else if (cfg == &iwl9461_2ac_cfg_qu_b0_jf_b0)
++ cfg = &iwl9461_2ac_cfg_quz_a0_jf_b0_soc;
++ else if (cfg == &iwl9462_2ac_cfg_qu_b0_jf_b0)
++ cfg = &iwl9462_2ac_cfg_quz_a0_jf_b0_soc;
++ else if (cfg == &iwl9560_2ac_cfg_qu_b0_jf_b0)
++ cfg = &iwl9560_2ac_cfg_quz_a0_jf_b0_soc;
++ else if (cfg == &iwl9560_2ac_160_cfg_qu_b0_jf_b0)
++ cfg = &iwl9560_2ac_160_cfg_quz_a0_jf_b0_soc;
+ }
+
+ #endif
revert-powerpc-vcpu-assume-dedicated-processors-as-non-preempt.patch
sctp-fix-err-handling-of-stream-initialization.patch
md-make-sure-desc_nr-less-than-md_sb_disks.patch
+revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-quz-detection.patch
+netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch
+6pack-mkiss-fix-possible-deadlock.patch
+powerpc-fix-__clear_user-with-kuap-enabled.patch
+net-smc-add-fallback-check-to-connect.patch
+netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch
+inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch
+net-add-a-read_once-in-skb_peek_tail.patch
+net-icmp-fix-data-race-in-cmp_global_allow.patch
+hrtimer-annotate-lockless-access-to-timer-state.patch
+tomoyo-don-t-use-nifty-names-on-sockets.patch
+uaccess-disallow-int_max-copy-sizes.patch
+drm-limit-to-int_max-in-create_blob-ioctl.patch
+xfs-fix-mount-failure-crash-on-invalid-iclog-memory-access.patch
+shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
--- /dev/null
+From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Sat, 30 Nov 2019 17:50:26 -0800
+Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream.
+
+syzbot found the following crash:
+
+ BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
+ Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173
+
+ CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
+ trace_lock_acquire include/trace/events/lock.h:13 [inline]
+ lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:338 [inline]
+ shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034
+ __do_fault+0x111/0x540 mm/memory.c:3083
+ do_shared_fault mm/memory.c:3535 [inline]
+ do_fault mm/memory.c:3613 [inline]
+ handle_pte_fault mm/memory.c:3840 [inline]
+ __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964
+ handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001
+ do_user_addr_fault arch/x86/mm/fault.c:1441 [inline]
+ __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506
+ do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530
+ page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202
+
+It happens if the VMA got unmapped under us while we dropped mmap_sem
+and inode got freed.
+
+Pinning the file if we drop mmap_sem fixes the issue.
+
+Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2022,16 +2022,14 @@ static vm_fault_t shmem_fault(struct vm_
+ shmem_falloc->waitq &&
+ vmf->pgoff >= shmem_falloc->start &&
+ vmf->pgoff < shmem_falloc->next) {
++ struct file *fpin;
+ wait_queue_head_t *shmem_falloc_waitq;
+ DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function);
+
+ ret = VM_FAULT_NOPAGE;
+- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
+- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
+- /* It's polite to up mmap_sem if we can */
+- up_read(&vma->vm_mm->mmap_sem);
++ fpin = maybe_unlock_mmap_for_io(vmf, NULL);
++ if (fpin)
+ ret = VM_FAULT_RETRY;
+- }
+
+ shmem_falloc_waitq = shmem_falloc->waitq;
+ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
+@@ -2049,6 +2047,9 @@ static vm_fault_t shmem_fault(struct vm_
+ spin_lock(&inode->i_lock);
+ finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
+ spin_unlock(&inode->i_lock);
++
++ if (fpin)
++ fput(fpin);
+ return ret;
+ }
+ spin_unlock(&inode->i_lock);
--- /dev/null
+From 6f7c41374b62fd80bbd8aae3536c43688c54d95e Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 25 Nov 2019 10:46:51 +0900
+Subject: tomoyo: Don't use nifty names on sockets.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 6f7c41374b62fd80bbd8aae3536c43688c54d95e upstream.
+
+syzbot is reporting that use of SOCKET_I()->sk from open() can result in
+use after free problem [1], for socket's inode is still reachable via
+/proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed.
+
+At first I thought that this race condition applies to only open/getattr
+permission checks. But James Morris has pointed out that there are more
+permission checks where this race condition applies to. Thus, get rid of
+tomoyo_get_socket_name() instead of conditionally bypassing permission
+checks on sockets. As a side effect of this patch,
+"socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be
+rewritten to "socket:[\$]".
+
+[1] https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com>
+Reported-by: James Morris <jmorris@namei.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/tomoyo/realpath.c | 32 +-------------------------------
+ 1 file changed, 1 insertion(+), 31 deletions(-)
+
+--- a/security/tomoyo/realpath.c
++++ b/security/tomoyo/realpath.c
+@@ -218,31 +218,6 @@ out:
+ }
+
+ /**
+- * tomoyo_get_socket_name - Get the name of a socket.
+- *
+- * @path: Pointer to "struct path".
+- * @buffer: Pointer to buffer to return value in.
+- * @buflen: Sizeof @buffer.
+- *
+- * Returns the buffer.
+- */
+-static char *tomoyo_get_socket_name(const struct path *path, char * const buffer,
+- const int buflen)
+-{
+- struct inode *inode = d_backing_inode(path->dentry);
+- struct socket *sock = inode ? SOCKET_I(inode) : NULL;
+- struct sock *sk = sock ? sock->sk : NULL;
+-
+- if (sk) {
+- snprintf(buffer, buflen, "socket:[family=%u:type=%u:protocol=%u]",
+- sk->sk_family, sk->sk_type, sk->sk_protocol);
+- } else {
+- snprintf(buffer, buflen, "socket:[unknown]");
+- }
+- return buffer;
+-}
+-
+-/**
+ * tomoyo_realpath_from_path - Returns realpath(3) of the given pathname but ignores chroot'ed root.
+ *
+ * @path: Pointer to "struct path".
+@@ -279,12 +254,7 @@ char *tomoyo_realpath_from_path(const st
+ break;
+ /* To make sure that pos is '\0' terminated. */
+ buf[buf_len - 1] = '\0';
+- /* Get better name for socket. */
+- if (sb->s_magic == SOCKFS_MAGIC) {
+- pos = tomoyo_get_socket_name(path, buf, buf_len - 1);
+- goto encode;
+- }
+- /* For "pipe:[\$]". */
++ /* For "pipe:[\$]" and "socket:[\$]". */
+ if (dentry->d_op && dentry->d_op->d_dname) {
+ pos = dentry->d_op->d_dname(dentry, buf, buf_len - 1);
+ goto encode;
--- /dev/null
+From 6d13de1489b6bf539695f96d945de3860e6d5e17 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 4 Dec 2019 16:52:40 -0800
+Subject: uaccess: disallow > INT_MAX copy sizes
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 6d13de1489b6bf539695f96d945de3860e6d5e17 upstream.
+
+As we've done with VFS, string operations, etc, reject usercopy sizes
+larger than INT_MAX, which would be nice to have for catching bugs
+related to size calculation overflows[1].
+
+This adds 10 bytes to x86_64 defconfig text and 1980 bytes to the data
+section:
+
+ text data bss dec hex filename
+ 19691167 5134320 1646664 26472151 193eed7 vmlinux.before
+ 19691177 5136300 1646664 26474141 193f69d vmlinux.after
+
+[1] https://marc.info/?l=linux-s390&m=156631939010493&w=2
+
+Link: http://lkml.kernel.org/r/201908251612.F9902D7A@keescook
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/thread_info.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/thread_info.h
++++ b/include/linux/thread_info.h
+@@ -147,6 +147,8 @@ check_copy_size(const void *addr, size_t
+ __bad_copy_to();
+ return false;
+ }
++ if (WARN_ON_ONCE(bytes > INT_MAX))
++ return false;
+ check_object_size(addr, bytes, is_source);
+ return true;
+ }
--- /dev/null
+From 798a9cada4694ca8d970259f216cec47e675bfd5 Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Tue, 3 Dec 2019 07:53:15 -0800
+Subject: xfs: fix mount failure crash on invalid iclog memory access
+
+From: Brian Foster <bfoster@redhat.com>
+
+commit 798a9cada4694ca8d970259f216cec47e675bfd5 upstream.
+
+syzbot (via KASAN) reports a use-after-free in the error path of
+xlog_alloc_log(). Specifically, the iclog freeing loop doesn't
+handle the case of a fully initialized ->l_iclog linked list.
+Instead, it assumes that the list is partially constructed and NULL
+terminated.
+
+This bug manifested because there was no possible error scenario
+after iclog list setup when the original code was added. Subsequent
+code and associated error conditions were added some time later,
+while the original error handling code was never updated. Fix up the
+error loop to terminate either on a NULL iclog or reaching the end
+of the list.
+
+Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1495,6 +1495,8 @@ out_free_iclog:
+ prev_iclog = iclog->ic_next;
+ kmem_free(iclog->ic_data);
+ kmem_free(iclog);
++ if (prev_iclog == log->l_iclog)
++ break;
+ }
+ out_free_log:
+ kmem_free(log);
projects / thirdparty / kernel / stable-queue.git / commitdiff
