--- /dev/null
+From a7137534b597b7c303203e6bc3ed87e87a273bb8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 7 Oct 2019 15:43:01 -0700
+Subject: bonding: fix potential NULL deref in bond_update_slave_arr
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a7137534b597b7c303203e6bc3ed87e87a273bb8 upstream.
+
+syzbot got a NULL dereference in bond_update_slave_arr() [1],
+happening after a failure to allocate bond->slave_arr
+
+A workqueue (bond_slave_arr_handler) is supposed to retry
+the allocation later, but if the slave is removed before
+the workqueue had a chance to complete, bond->slave_arr
+can still be NULL.
+
+[1]
+
+Failed to build slave-array.
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN PTI
+Modules linked in:
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039
+RSP: 0018:ffff88018fe33678 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000
+RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20
+RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0
+FS: 00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ [<ffffffff82b5b45e>] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923
+ [<ffffffff82b5b966>] bond_release drivers/net/bonding/bond_main.c:2039 [inline]
+ [<ffffffff82b5b966>] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562
+ [<ffffffff83ae25f4>] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328
+ [<ffffffff83ae2e58>] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495
+ [<ffffffff83995ffd>] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088
+ [<ffffffff83996a80>] sock_ioctl+0x300/0x5d0 net/socket.c:1196
+ [<ffffffff81b124db>] vfs_ioctl fs/ioctl.c:47 [inline]
+ [<ffffffff81b124db>] file_ioctl fs/ioctl.c:501 [inline]
+ [<ffffffff81b124db>] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688
+ [<ffffffff81b12dc6>] SYSC_ioctl fs/ioctl.c:705 [inline]
+ [<ffffffff81b12dc6>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696
+ [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
+ [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3889,7 +3889,7 @@ out:
+ * this to-be-skipped slave to send a packet out.
+ */
+ old_arr = rtnl_dereference(bond->slave_arr);
+- for (idx = 0; idx < old_arr->count; idx++) {
++ for (idx = 0; old_arr != NULL && idx < old_arr->count; idx++) {
+ if (skipslave == old_arr->arr[idx]) {
+ old_arr->arr[idx] =
+ old_arr->arr[old_arr->count-1];
--- /dev/null
+From b74555de21acd791f12c4a1aeaf653dd7ac21133 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 6 Oct 2019 14:24:25 -0700
+Subject: llc: fix sk_buff leak in llc_conn_service()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit b74555de21acd791f12c4a1aeaf653dd7ac21133 upstream.
+
+syzbot reported:
+
+ BUG: memory leak
+ unreferenced object 0xffff88811eb3de00 (size 224):
+ comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff ..8$............
+ backtrace:
+ [<000000008d1c66a1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
+ [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
+ [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
+ [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
+ [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
+ [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140 net/llc/llc_c_ac.c:777
+ [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
+ [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
+ [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640 net/llc/llc_conn.c:75
+ [<00000000f27e53c1>] llc_establish_connection+0x110/0x170 net/llc/llc_if.c:109
+ [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
+ [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
+ [...]
+
+The bug is that most callers of llc_conn_send_pdu() assume it consumes a
+reference to the skb, when actually due to commit b85ab56c3f81 ("llc:
+properly handle dev_queue_xmit() return value") it doesn't.
+
+Revert most of that commit, and instead make the few places that need
+llc_conn_send_pdu() to *not* consume a reference call skb_get() before.
+
+Fixes: b85ab56c3f81 ("llc: properly handle dev_queue_xmit() return value")
+Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/llc_conn.h | 2 +-
+ net/llc/llc_c_ac.c | 8 ++++++--
+ net/llc/llc_conn.c | 32 +++++++++-----------------------
+ 3 files changed, 16 insertions(+), 26 deletions(-)
+
+--- a/include/net/llc_conn.h
++++ b/include/net/llc_conn.h
+@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk);
+
+ /* Access to a connection */
+ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb);
+-int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
++void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
+ void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb);
+ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit);
+ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit);
+--- a/net/llc/llc_c_ac.c
++++ b/net/llc/llc_c_ac.c
+@@ -372,6 +372,7 @@ int llc_conn_ac_send_i_cmd_p_set_1(struc
+ llc_pdu_init_as_i_cmd(skb, 1, llc->vS, llc->vR);
+ rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ if (likely(!rc)) {
++ skb_get(skb);
+ llc_conn_send_pdu(sk, skb);
+ llc_conn_ac_inc_vs_by_1(sk, skb);
+ }
+@@ -389,7 +390,8 @@ static int llc_conn_ac_send_i_cmd_p_set_
+ llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
+ rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ if (likely(!rc)) {
+- rc = llc_conn_send_pdu(sk, skb);
++ skb_get(skb);
++ llc_conn_send_pdu(sk, skb);
+ llc_conn_ac_inc_vs_by_1(sk, skb);
+ }
+ return rc;
+@@ -406,6 +408,7 @@ int llc_conn_ac_send_i_xxx_x_set_0(struc
+ llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
+ rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ if (likely(!rc)) {
++ skb_get(skb);
+ llc_conn_send_pdu(sk, skb);
+ llc_conn_ac_inc_vs_by_1(sk, skb);
+ }
+@@ -916,7 +919,8 @@ static int llc_conn_ac_send_i_rsp_f_set_
+ llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR);
+ rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ if (likely(!rc)) {
+- rc = llc_conn_send_pdu(sk, skb);
++ skb_get(skb);
++ llc_conn_send_pdu(sk, skb);
+ llc_conn_ac_inc_vs_by_1(sk, skb);
+ }
+ return rc;
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -30,7 +30,7 @@
+ #endif
+
+ static int llc_find_offset(int state, int ev_type);
+-static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb);
++static void llc_conn_send_pdus(struct sock *sk);
+ static int llc_conn_service(struct sock *sk, struct sk_buff *skb);
+ static int llc_exec_conn_trans_actions(struct sock *sk,
+ struct llc_conn_state_trans *trans,
+@@ -193,11 +193,11 @@ out_skb_put:
+ return rc;
+ }
+
+-int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
++void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
+ {
+ /* queue PDU to send to MAC layer */
+ skb_queue_tail(&sk->sk_write_queue, skb);
+- return llc_conn_send_pdus(sk, skb);
++ llc_conn_send_pdus(sk);
+ }
+
+ /**
+@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct
+ if (howmany_resend > 0)
+ llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
+ /* any PDUs to re-send are queued up; start sending to MAC */
+- llc_conn_send_pdus(sk, NULL);
++ llc_conn_send_pdus(sk);
+ out:;
+ }
+
+@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct
+ if (howmany_resend > 0)
+ llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
+ /* any PDUs to re-send are queued up; start sending to MAC */
+- llc_conn_send_pdus(sk, NULL);
++ llc_conn_send_pdus(sk);
+ out:;
+ }
+
+@@ -340,16 +340,12 @@ out:
+ /**
+ * llc_conn_send_pdus - Sends queued PDUs
+ * @sk: active connection
+- * @hold_skb: the skb held by caller, or NULL if does not care
+ *
+- * Sends queued pdus to MAC layer for transmission. When @hold_skb is
+- * NULL, always return 0. Otherwise, return 0 if @hold_skb is sent
+- * successfully, or 1 for failure.
++ * Sends queued pdus to MAC layer for transmission.
+ */
+-static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb)
++static void llc_conn_send_pdus(struct sock *sk)
+ {
+ struct sk_buff *skb;
+- int ret = 0;
+
+ while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) {
+ struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);
+@@ -361,20 +357,10 @@ static int llc_conn_send_pdus(struct soc
+ skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb);
+ if (!skb2)
+ break;
+- dev_queue_xmit(skb2);
+- } else {
+- bool is_target = skb == hold_skb;
+- int rc;
+-
+- if (is_target)
+- skb_get(skb);
+- rc = dev_queue_xmit(skb);
+- if (is_target)
+- ret = rc;
++ skb = skb2;
+ }
++ dev_queue_xmit(skb);
+ }
+-
+- return ret;
+ }
+
+ /**
--- /dev/null
+From c6ee11c39fcc1fb55130748990a8f199e76263b4 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 6 Oct 2019 14:24:24 -0700
+Subject: llc: fix sk_buff leak in llc_sap_state_process()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit c6ee11c39fcc1fb55130748990a8f199e76263b4 upstream.
+
+syzbot reported:
+
+ BUG: memory leak
+ unreferenced object 0xffff888116270800 (size 224):
+ comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff . .*.....@=*....
+ backtrace:
+ [<000000004d41b4cc>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline]
+ [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
+ [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
+ [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline]
+ [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
+ [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
+ [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
+ [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
+ [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline]
+ [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671
+ [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
+ [...]
+
+The bug is that llc_sap_state_process() always takes an extra reference
+to the skb, but sometimes neither llc_sap_next_state() nor
+llc_sap_state_process() itself drops this reference.
+
+Fix it by changing llc_sap_next_state() to never consume a reference to
+the skb, rather than sometimes do so and sometimes not. Then remove the
+extra skb_get() and kfree_skb() from llc_sap_state_process().
+
+Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com
+Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/llc/llc_s_ac.c | 12 +++++++++---
+ net/llc/llc_sap.c | 23 ++++++++---------------
+ 2 files changed, 17 insertions(+), 18 deletions(-)
+
+--- a/net/llc/llc_s_ac.c
++++ b/net/llc/llc_s_ac.c
+@@ -58,8 +58,10 @@ int llc_sap_action_send_ui(struct llc_sa
+ ev->daddr.lsap, LLC_PDU_CMD);
+ llc_pdu_init_as_ui_cmd(skb);
+ rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
+- if (likely(!rc))
++ if (likely(!rc)) {
++ skb_get(skb);
+ rc = dev_queue_xmit(skb);
++ }
+ return rc;
+ }
+
+@@ -81,8 +83,10 @@ int llc_sap_action_send_xid_c(struct llc
+ ev->daddr.lsap, LLC_PDU_CMD);
+ llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0);
+ rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
+- if (likely(!rc))
++ if (likely(!rc)) {
++ skb_get(skb);
+ rc = dev_queue_xmit(skb);
++ }
+ return rc;
+ }
+
+@@ -135,8 +139,10 @@ int llc_sap_action_send_test_c(struct ll
+ ev->daddr.lsap, LLC_PDU_CMD);
+ llc_pdu_init_as_test_cmd(skb);
+ rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
+- if (likely(!rc))
++ if (likely(!rc)) {
++ skb_get(skb);
+ rc = dev_queue_xmit(skb);
++ }
+ return rc;
+ }
+
+--- a/net/llc/llc_sap.c
++++ b/net/llc/llc_sap.c
+@@ -197,29 +197,22 @@ out:
+ * After executing actions of the event, upper layer will be indicated
+ * if needed(on receiving an UI frame). sk can be null for the
+ * datalink_proto case.
++ *
++ * This function always consumes a reference to the skb.
+ */
+ static void llc_sap_state_process(struct llc_sap *sap, struct sk_buff *skb)
+ {
+ struct llc_sap_state_ev *ev = llc_sap_ev(skb);
+
+- /*
+- * We have to hold the skb, because llc_sap_next_state
+- * will kfree it in the sending path and we need to
+- * look at the skb->cb, where we encode llc_sap_state_ev.
+- */
+- skb_get(skb);
+ ev->ind_cfm_flag = 0;
+ llc_sap_next_state(sap, skb);
+- if (ev->ind_cfm_flag == LLC_IND) {
+- if (skb->sk->sk_state == TCP_LISTEN)
+- kfree_skb(skb);
+- else {
+- llc_save_primitive(skb->sk, skb, ev->prim);
+
+- /* queue skb to the user. */
+- if (sock_queue_rcv_skb(skb->sk, skb))
+- kfree_skb(skb);
+- }
++ if (ev->ind_cfm_flag == LLC_IND && skb->sk->sk_state != TCP_LISTEN) {
++ llc_save_primitive(skb->sk, skb, ev->prim);
++
++ /* queue skb to the user. */
++ if (sock_queue_rcv_skb(skb->sk, skb) == 0)
++ return;
+ }
+ kfree_skb(skb);
+ }
--- /dev/null
+From 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Tue, 15 Oct 2019 22:20:20 +0200
+Subject: net: usb: sr9800: fix uninitialized local variable
+
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+
+commit 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 upstream.
+
+Make sure res does not contain random value if the call to
+sr_read_cmd fails for some reason.
+
+Reported-by: syzbot+f1842130bbcfb335bac1@syzkaller.appspotmail.com
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/sr9800.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -336,7 +336,7 @@ static void sr_set_multicast(struct net_
+ static int sr_mdio_read(struct net_device *net, int phy_id, int loc)
+ {
+ struct usbnet *dev = netdev_priv(net);
+- __le16 res;
++ __le16 res = 0;
+
+ mutex_lock(&dev->phy_mutex);
+ sr_set_sw_mii(dev);
--- /dev/null
+From 159d2c7d8106177bd9a986fd005a311fe0d11285 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 24 Sep 2019 13:11:26 -0700
+Subject: sch_netem: fix rcu splat in netem_enqueue()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 159d2c7d8106177bd9a986fd005a311fe0d11285 upstream.
+
+qdisc_root() use from netem_enqueue() triggers a lockdep warning.
+
+__dev_queue_xmit() uses rcu_read_lock_bh() which is
+not equivalent to rcu_read_lock() + local_bh_disable_bh as far
+as lockdep is concerned.
+
+WARNING: suspicious RCU usage
+5.3.0-rc7+ #0 Not tainted
+-----------------------------
+include/net/sch_generic.h:492 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+3 locks held by syz-executor427/8855:
+ #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
+ #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2dc/0x2570 net/ipv4/ip_output.c:214
+ #1: 00000000b5525c01 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x20a/0x3650 net/core/dev.c:3804
+ #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
+ #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_xmit_skb net/core/dev.c:3502 [inline]
+ #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_queue_xmit+0x14b8/0x3650 net/core/dev.c:3838
+
+stack backtrace:
+CPU: 0 PID: 8855 Comm: syz-executor427 Not tainted 5.3.0-rc7+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5357
+ qdisc_root include/net/sch_generic.h:492 [inline]
+ netem_enqueue+0x1cfb/0x2d80 net/sched/sch_netem.c:479
+ __dev_xmit_skb net/core/dev.c:3527 [inline]
+ __dev_queue_xmit+0x15d2/0x3650 net/core/dev.c:3838
+ dev_queue_xmit+0x18/0x20 net/core/dev.c:3902
+ neigh_hh_output include/net/neighbour.h:500 [inline]
+ neigh_output include/net/neighbour.h:509 [inline]
+ ip_finish_output2+0x1726/0x2570 net/ipv4/ip_output.c:228
+ __ip_finish_output net/ipv4/ip_output.c:308 [inline]
+ __ip_finish_output+0x5fc/0xb90 net/ipv4/ip_output.c:290
+ ip_finish_output+0x38/0x1f0 net/ipv4/ip_output.c:318
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip_mc_output+0x292/0xf40 net/ipv4/ip_output.c:417
+ dst_output include/net/dst.h:436 [inline]
+ ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:125
+ ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1555
+ udp_send_skb.isra.0+0x6b2/0x1160 net/ipv4/udp.c:887
+ udp_sendmsg+0x1e96/0x2820 net/ipv4/udp.c:1174
+ inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
+ __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg net/socket.c:2439 [inline]
+ __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
+ do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/sch_generic.h | 5 +++++
+ net/sched/sch_netem.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -289,6 +289,11 @@ static inline struct Qdisc *qdisc_root(c
+ return q;
+ }
+
++static inline struct Qdisc *qdisc_root_bh(const struct Qdisc *qdisc)
++{
++ return rcu_dereference_bh(qdisc->dev_queue->qdisc);
++}
++
+ static inline struct Qdisc *qdisc_root_sleeping(const struct Qdisc *qdisc)
+ {
+ return qdisc->dev_queue->qdisc_sleeping;
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -464,7 +464,7 @@ static int netem_enqueue(struct sk_buff
+ * skb will be queued.
+ */
+ if (count > 1 && (skb2 = skb_clone(skb, GFP_ATOMIC)) != NULL) {
+- struct Qdisc *rootq = qdisc_root(sch);
++ struct Qdisc *rootq = qdisc_root_bh(sch);
+ u32 dupsave = q->duplicate; /* prevent duplicating a dup... */
+
+ q->duplicate = 0;
nl80211-fix-validation-of-mesh-path-nexthop.patch
s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch
rtlwifi-fix-potential-overflow-on-p2p-code.patch
+llc-fix-sk_buff-leak-in-llc_sap_state_process.patch
+llc-fix-sk_buff-leak-in-llc_conn_service.patch
+bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch
+net-usb-sr9800-fix-uninitialized-local-variable.patch
+sch_netem-fix-rcu-splat-in-netem_enqueue.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
