From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Nov 2019 10:49:38 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.199~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b718dd0d2900b976c2b866b8df5f4d748c974be3;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	blackhole_netdev-fix-syzkaller-reported-issue.patch
	bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch
	llc-fix-sk_buff-leak-in-llc_conn_service.patch
	llc-fix-sk_buff-leak-in-llc_sap_state_process.patch
	net-usb-sr9800-fix-uninitialized-local-variable.patch
	nfc-pn533-fix-use-after-free-and-memleaks.patch
	rxrpc-fix-call-ref-leak.patch
	sch_netem-fix-rcu-splat-in-netem_enqueue.patch
---

diff --git a/queue-4.14/blackhole_netdev-fix-syzkaller-reported-issue.patch b/queue-4.14/blackhole_netdev-fix-syzkaller-reported-issue.patch
new file mode 100644
index 00000000000..bcf8a0b9674
--- /dev/null
+++ b/queue-4.14/blackhole_netdev-fix-syzkaller-reported-issue.patch
@@ -0,0 +1,113 @@
+From b0818f80c8c1bc215bba276bd61c216014fab23b Mon Sep 17 00:00:00 2001
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Fri, 11 Oct 2019 18:14:55 -0700
+Subject: blackhole_netdev: fix syzkaller reported issue
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+commit b0818f80c8c1bc215bba276bd61c216014fab23b upstream.
+
+While invalidating the dst, we assign backhole_netdev instead of
+loopback device. However, this device does not have idev pointer
+and hence no ip6_ptr even if IPv6 is enabled. Possibly this has
+triggered the syzbot reported crash.
+
+The syzbot report does not have reproducer, however, this is the
+only device that doesn't have matching idev created.
+
+Crash instruction is :
+
+static inline bool ip6_ignore_linkdown(const struct net_device *dev)
+{
+        const struct inet6_dev *idev = __in6_dev_get(dev);
+
+        return !!idev->cnf.ignore_routes_with_linkdown; <= crash
+}
+
+Also ipv6 always assumes presence of idev and never checks for it
+being NULL (as does the above referenced code). So adding a idev
+for the blackhole_netdev to avoid this class of crashes in the future.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/addrconf.c |    7 ++++++-
+ net/ipv6/route.c    |   15 ++++++---------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -6550,7 +6550,7 @@ static struct rtnl_af_ops inet6_ops __re
+ 
+ int __init addrconf_init(void)
+ {
+-	struct inet6_dev *idev;
++	struct inet6_dev *idev, *bdev;
+ 	int i, err;
+ 
+ 	err = ipv6_addr_label_init();
+@@ -6590,10 +6590,14 @@ int __init addrconf_init(void)
+ 	 */
+ 	rtnl_lock();
+ 	idev = ipv6_add_dev(init_net.loopback_dev);
++	bdev = ipv6_add_dev(blackhole_netdev);
+ 	rtnl_unlock();
+ 	if (IS_ERR(idev)) {
+ 		err = PTR_ERR(idev);
+ 		goto errlo;
++	} else if (IS_ERR(bdev)) {
++		err = PTR_ERR(bdev);
++		goto errlo;
+ 	}
+ 
+ 	ip6_route_init_special_entries();
+@@ -6660,6 +6664,7 @@ void addrconf_cleanup(void)
+ 		addrconf_ifdown(dev, 1);
+ 	}
+ 	addrconf_ifdown(init_net.loopback_dev, 2);
++	addrconf_ifdown(blackhole_netdev, 2);
+ 
+ 	/*
+ 	 *	Check hash table.
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -148,10 +148,9 @@ static void rt6_uncached_list_del(struct
+ 
+ static void rt6_uncached_list_flush_dev(struct net *net, struct net_device *dev)
+ {
+-	struct net_device *loopback_dev = net->loopback_dev;
+ 	int cpu;
+ 
+-	if (dev == loopback_dev)
++	if (dev == net->loopback_dev)
+ 		return;
+ 
+ 	for_each_possible_cpu(cpu) {
+@@ -164,7 +163,7 @@ static void rt6_uncached_list_flush_dev(
+ 			struct net_device *rt_dev = rt->dst.dev;
+ 
+ 			if (rt_idev->dev == dev) {
+-				rt->rt6i_idev = in6_dev_get(loopback_dev);
++				rt->rt6i_idev = in6_dev_get(blackhole_netdev);
+ 				in6_dev_put(rt_idev);
+ 			}
+ 
+@@ -414,13 +413,11 @@ static void ip6_dst_ifdown(struct dst_en
+ {
+ 	struct rt6_info *rt = (struct rt6_info *)dst;
+ 	struct inet6_dev *idev = rt->rt6i_idev;
+-	struct net_device *loopback_dev =
+-		dev_net(dev)->loopback_dev;
+ 
+-	if (idev && idev->dev != loopback_dev) {
+-		struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev);
+-		if (loopback_idev) {
+-			rt->rt6i_idev = loopback_idev;
++	if (idev && idev->dev != dev_net(dev)->loopback_dev) {
++		struct inet6_dev *ibdev = in6_dev_get(blackhole_netdev);
++		if (ibdev) {
++			rt->rt6i_idev = ibdev;
+ 			in6_dev_put(idev);
+ 		}
+ 	}
diff --git a/queue-4.14/bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch b/queue-4.14/bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch
new file mode 100644
index 00000000000..0477f49ffc1
--- /dev/null
+++ b/queue-4.14/bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch
@@ -0,0 +1,75 @@
+From a7137534b597b7c303203e6bc3ed87e87a273bb8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 7 Oct 2019 15:43:01 -0700
+Subject: bonding: fix potential NULL deref in bond_update_slave_arr
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a7137534b597b7c303203e6bc3ed87e87a273bb8 upstream.
+
+syzbot got a NULL dereference in bond_update_slave_arr() [1],
+happening after a failure to allocate bond->slave_arr
+
+A workqueue (bond_slave_arr_handler) is supposed to retry
+the allocation later, but if the slave is removed before
+the workqueue had a chance to complete, bond->slave_arr
+can still be NULL.
+
+[1]
+
+Failed to build slave-array.
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN PTI
+Modules linked in:
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039
+RSP: 0018:ffff88018fe33678 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000
+RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20
+RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0
+FS:  00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ [<ffffffff82b5b45e>] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923
+ [<ffffffff82b5b966>] bond_release drivers/net/bonding/bond_main.c:2039 [inline]
+ [<ffffffff82b5b966>] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562
+ [<ffffffff83ae25f4>] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328
+ [<ffffffff83ae2e58>] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495
+ [<ffffffff83995ffd>] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088
+ [<ffffffff83996a80>] sock_ioctl+0x300/0x5d0 net/socket.c:1196
+ [<ffffffff81b124db>] vfs_ioctl fs/ioctl.c:47 [inline]
+ [<ffffffff81b124db>] file_ioctl fs/ioctl.c:501 [inline]
+ [<ffffffff81b124db>] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688
+ [<ffffffff81b12dc6>] SYSC_ioctl fs/ioctl.c:705 [inline]
+ [<ffffffff81b12dc6>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696
+ [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
+ [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/bonding/bond_main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3992,7 +3992,7 @@ out:
+ 		 * this to-be-skipped slave to send a packet out.
+ 		 */
+ 		old_arr = rtnl_dereference(bond->slave_arr);
+-		for (idx = 0; idx < old_arr->count; idx++) {
++		for (idx = 0; old_arr != NULL && idx < old_arr->count; idx++) {
+ 			if (skipslave == old_arr->arr[idx]) {
+ 				old_arr->arr[idx] =
+ 				    old_arr->arr[old_arr->count-1];
diff --git a/queue-4.14/llc-fix-sk_buff-leak-in-llc_conn_service.patch b/queue-4.14/llc-fix-sk_buff-leak-in-llc_conn_service.patch
new file mode 100644
index 00000000000..7e66f9d0161
--- /dev/null
+++ b/queue-4.14/llc-fix-sk_buff-leak-in-llc_conn_service.patch
@@ -0,0 +1,187 @@
+From b74555de21acd791f12c4a1aeaf653dd7ac21133 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 6 Oct 2019 14:24:25 -0700
+Subject: llc: fix sk_buff leak in llc_conn_service()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit b74555de21acd791f12c4a1aeaf653dd7ac21133 upstream.
+
+syzbot reported:
+
+    BUG: memory leak
+    unreferenced object 0xffff88811eb3de00 (size 224):
+       comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
+       hex dump (first 32 bytes):
+         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+         00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff  ..8$............
+       backtrace:
+         [<000000008d1c66a1>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
+         [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
+         [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
+         [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
+         [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
+         [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
+         [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
+         [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140  net/llc/llc_c_ac.c:777
+         [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475  [inline]
+         [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
+         [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640  net/llc/llc_conn.c:75
+         [<00000000f27e53c1>] llc_establish_connection+0x110/0x170  net/llc/llc_if.c:109
+         [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
+         [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
+         [...]
+
+The bug is that most callers of llc_conn_send_pdu() assume it consumes a
+reference to the skb, when actually due to commit b85ab56c3f81 ("llc:
+properly handle dev_queue_xmit() return value") it doesn't.
+
+Revert most of that commit, and instead make the few places that need
+llc_conn_send_pdu() to *not* consume a reference call skb_get() before.
+
+Fixes: b85ab56c3f81 ("llc: properly handle dev_queue_xmit() return value")
+Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/llc_conn.h |    2 +-
+ net/llc/llc_c_ac.c     |    8 ++++++--
+ net/llc/llc_conn.c     |   32 +++++++++-----------------------
+ 3 files changed, 16 insertions(+), 26 deletions(-)
+
+--- a/include/net/llc_conn.h
++++ b/include/net/llc_conn.h
+@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk);
+ 
+ /* Access to a connection */
+ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb);
+-int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
++void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
+ void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb);
+ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit);
+ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit);
+--- a/net/llc/llc_c_ac.c
++++ b/net/llc/llc_c_ac.c
+@@ -372,6 +372,7 @@ int llc_conn_ac_send_i_cmd_p_set_1(struc
+ 	llc_pdu_init_as_i_cmd(skb, 1, llc->vS, llc->vR);
+ 	rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ 	if (likely(!rc)) {
++		skb_get(skb);
+ 		llc_conn_send_pdu(sk, skb);
+ 		llc_conn_ac_inc_vs_by_1(sk, skb);
+ 	}
+@@ -389,7 +390,8 @@ static int llc_conn_ac_send_i_cmd_p_set_
+ 	llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
+ 	rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ 	if (likely(!rc)) {
+-		rc = llc_conn_send_pdu(sk, skb);
++		skb_get(skb);
++		llc_conn_send_pdu(sk, skb);
+ 		llc_conn_ac_inc_vs_by_1(sk, skb);
+ 	}
+ 	return rc;
+@@ -406,6 +408,7 @@ int llc_conn_ac_send_i_xxx_x_set_0(struc
+ 	llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
+ 	rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ 	if (likely(!rc)) {
++		skb_get(skb);
+ 		llc_conn_send_pdu(sk, skb);
+ 		llc_conn_ac_inc_vs_by_1(sk, skb);
+ 	}
+@@ -916,7 +919,8 @@ static int llc_conn_ac_send_i_rsp_f_set_
+ 	llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR);
+ 	rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
+ 	if (likely(!rc)) {
+-		rc = llc_conn_send_pdu(sk, skb);
++		skb_get(skb);
++		llc_conn_send_pdu(sk, skb);
+ 		llc_conn_ac_inc_vs_by_1(sk, skb);
+ 	}
+ 	return rc;
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -30,7 +30,7 @@
+ #endif
+ 
+ static int llc_find_offset(int state, int ev_type);
+-static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb);
++static void llc_conn_send_pdus(struct sock *sk);
+ static int llc_conn_service(struct sock *sk, struct sk_buff *skb);
+ static int llc_exec_conn_trans_actions(struct sock *sk,
+ 				       struct llc_conn_state_trans *trans,
+@@ -193,11 +193,11 @@ out_skb_put:
+ 	return rc;
+ }
+ 
+-int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
++void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
+ {
+ 	/* queue PDU to send to MAC layer */
+ 	skb_queue_tail(&sk->sk_write_queue, skb);
+-	return llc_conn_send_pdus(sk, skb);
++	llc_conn_send_pdus(sk);
+ }
+ 
+ /**
+@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct
+ 	if (howmany_resend > 0)
+ 		llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
+ 	/* any PDUs to re-send are queued up; start sending to MAC */
+-	llc_conn_send_pdus(sk, NULL);
++	llc_conn_send_pdus(sk);
+ out:;
+ }
+ 
+@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct
+ 	if (howmany_resend > 0)
+ 		llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
+ 	/* any PDUs to re-send are queued up; start sending to MAC */
+-	llc_conn_send_pdus(sk, NULL);
++	llc_conn_send_pdus(sk);
+ out:;
+ }
+ 
+@@ -340,16 +340,12 @@ out:
+ /**
+  *	llc_conn_send_pdus - Sends queued PDUs
+  *	@sk: active connection
+- *	@hold_skb: the skb held by caller, or NULL if does not care
+  *
+- *	Sends queued pdus to MAC layer for transmission. When @hold_skb is
+- *	NULL, always return 0. Otherwise, return 0 if @hold_skb is sent
+- *	successfully, or 1 for failure.
++ *	Sends queued pdus to MAC layer for transmission.
+  */
+-static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb)
++static void llc_conn_send_pdus(struct sock *sk)
+ {
+ 	struct sk_buff *skb;
+-	int ret = 0;
+ 
+ 	while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) {
+ 		struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);
+@@ -361,20 +357,10 @@ static int llc_conn_send_pdus(struct soc
+ 			skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb);
+ 			if (!skb2)
+ 				break;
+-			dev_queue_xmit(skb2);
+-		} else {
+-			bool is_target = skb == hold_skb;
+-			int rc;
+-
+-			if (is_target)
+-				skb_get(skb);
+-			rc = dev_queue_xmit(skb);
+-			if (is_target)
+-				ret = rc;
++			skb = skb2;
+ 		}
++		dev_queue_xmit(skb);
+ 	}
+-
+-	return ret;
+ }
+ 
+ /**
diff --git a/queue-4.14/llc-fix-sk_buff-leak-in-llc_sap_state_process.patch b/queue-4.14/llc-fix-sk_buff-leak-in-llc_sap_state_process.patch
new file mode 100644
index 00000000000..04a1615d34c
--- /dev/null
+++ b/queue-4.14/llc-fix-sk_buff-leak-in-llc_sap_state_process.patch
@@ -0,0 +1,131 @@
+From c6ee11c39fcc1fb55130748990a8f199e76263b4 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 6 Oct 2019 14:24:24 -0700
+Subject: llc: fix sk_buff leak in llc_sap_state_process()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit c6ee11c39fcc1fb55130748990a8f199e76263b4 upstream.
+
+syzbot reported:
+
+    BUG: memory leak
+    unreferenced object 0xffff888116270800 (size 224):
+       comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s)
+       hex dump (first 32 bytes):
+         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+         00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff  . .*.....@=*....
+       backtrace:
+         [<000000004d41b4cc>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
+         [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline]
+         [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline]
+         [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
+         [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
+         [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline]
+         [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250  net/core/skbuff.c:5327
+         [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0  net/core/sock.c:2225
+         [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
+         [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
+         [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline]
+         [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671
+         [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
+	 [...]
+
+The bug is that llc_sap_state_process() always takes an extra reference
+to the skb, but sometimes neither llc_sap_next_state() nor
+llc_sap_state_process() itself drops this reference.
+
+Fix it by changing llc_sap_next_state() to never consume a reference to
+the skb, rather than sometimes do so and sometimes not.  Then remove the
+extra skb_get() and kfree_skb() from llc_sap_state_process().
+
+Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com
+Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/llc/llc_s_ac.c |   12 +++++++++---
+ net/llc/llc_sap.c  |   23 ++++++++---------------
+ 2 files changed, 17 insertions(+), 18 deletions(-)
+
+--- a/net/llc/llc_s_ac.c
++++ b/net/llc/llc_s_ac.c
+@@ -58,8 +58,10 @@ int llc_sap_action_send_ui(struct llc_sa
+ 			    ev->daddr.lsap, LLC_PDU_CMD);
+ 	llc_pdu_init_as_ui_cmd(skb);
+ 	rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
+-	if (likely(!rc))
++	if (likely(!rc)) {
++		skb_get(skb);
+ 		rc = dev_queue_xmit(skb);
++	}
+ 	return rc;
+ }
+ 
+@@ -81,8 +83,10 @@ int llc_sap_action_send_xid_c(struct llc
+ 			    ev->daddr.lsap, LLC_PDU_CMD);
+ 	llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0);
+ 	rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
+-	if (likely(!rc))
++	if (likely(!rc)) {
++		skb_get(skb);
+ 		rc = dev_queue_xmit(skb);
++	}
+ 	return rc;
+ }
+ 
+@@ -135,8 +139,10 @@ int llc_sap_action_send_test_c(struct ll
+ 			    ev->daddr.lsap, LLC_PDU_CMD);
+ 	llc_pdu_init_as_test_cmd(skb);
+ 	rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
+-	if (likely(!rc))
++	if (likely(!rc)) {
++		skb_get(skb);
+ 		rc = dev_queue_xmit(skb);
++	}
+ 	return rc;
+ }
+ 
+--- a/net/llc/llc_sap.c
++++ b/net/llc/llc_sap.c
+@@ -197,29 +197,22 @@ out:
+  *	After executing actions of the event, upper layer will be indicated
+  *	if needed(on receiving an UI frame). sk can be null for the
+  *	datalink_proto case.
++ *
++ *	This function always consumes a reference to the skb.
+  */
+ static void llc_sap_state_process(struct llc_sap *sap, struct sk_buff *skb)
+ {
+ 	struct llc_sap_state_ev *ev = llc_sap_ev(skb);
+ 
+-	/*
+-	 * We have to hold the skb, because llc_sap_next_state
+-	 * will kfree it in the sending path and we need to
+-	 * look at the skb->cb, where we encode llc_sap_state_ev.
+-	 */
+-	skb_get(skb);
+ 	ev->ind_cfm_flag = 0;
+ 	llc_sap_next_state(sap, skb);
+-	if (ev->ind_cfm_flag == LLC_IND) {
+-		if (skb->sk->sk_state == TCP_LISTEN)
+-			kfree_skb(skb);
+-		else {
+-			llc_save_primitive(skb->sk, skb, ev->prim);
+ 
+-			/* queue skb to the user. */
+-			if (sock_queue_rcv_skb(skb->sk, skb))
+-				kfree_skb(skb);
+-		}
++	if (ev->ind_cfm_flag == LLC_IND && skb->sk->sk_state != TCP_LISTEN) {
++		llc_save_primitive(skb->sk, skb, ev->prim);
++
++		/* queue skb to the user. */
++		if (sock_queue_rcv_skb(skb->sk, skb) == 0)
++			return;
+ 	}
+ 	kfree_skb(skb);
+ }
diff --git a/queue-4.14/net-usb-sr9800-fix-uninitialized-local-variable.patch b/queue-4.14/net-usb-sr9800-fix-uninitialized-local-variable.patch
new file mode 100644
index 00000000000..db7e78b9cea
--- /dev/null
+++ b/queue-4.14/net-usb-sr9800-fix-uninitialized-local-variable.patch
@@ -0,0 +1,32 @@
+From 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Tue, 15 Oct 2019 22:20:20 +0200
+Subject: net: usb: sr9800: fix uninitialized local variable
+
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+
+commit 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 upstream.
+
+Make sure res does not contain random value if the call to
+sr_read_cmd fails for some reason.
+
+Reported-by: syzbot+f1842130bbcfb335bac1@syzkaller.appspotmail.com
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/sr9800.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -336,7 +336,7 @@ static void sr_set_multicast(struct net_
+ static int sr_mdio_read(struct net_device *net, int phy_id, int loc)
+ {
+ 	struct usbnet *dev = netdev_priv(net);
+-	__le16 res;
++	__le16 res = 0;
+ 
+ 	mutex_lock(&dev->phy_mutex);
+ 	sr_set_sw_mii(dev);
diff --git a/queue-4.14/nfc-pn533-fix-use-after-free-and-memleaks.patch b/queue-4.14/nfc-pn533-fix-use-after-free-and-memleaks.patch
new file mode 100644
index 00000000000..20fbfb72301
--- /dev/null
+++ b/queue-4.14/nfc-pn533-fix-use-after-free-and-memleaks.patch
@@ -0,0 +1,51 @@
+From 6af3aa57a0984e061f61308fe181a9a12359fecc Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 7 Oct 2019 18:40:59 +0200
+Subject: NFC: pn533: fix use-after-free and memleaks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6af3aa57a0984e061f61308fe181a9a12359fecc upstream.
+
+The driver would fail to deregister and its class device and free
+related resources on late probe errors.
+
+Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com
+Fixes: 32ecc75ded72 ("NFC: pn533: change order operations in dev registation")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/pn533/usb.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/nfc/pn533/usb.c
++++ b/drivers/nfc/pn533/usb.c
+@@ -559,18 +559,25 @@ static int pn533_usb_probe(struct usb_in
+ 
+ 	rc = pn533_finalize_setup(priv);
+ 	if (rc)
+-		goto error;
++		goto err_deregister;
+ 
+ 	usb_set_intfdata(interface, phy);
+ 
+ 	return 0;
+ 
++err_deregister:
++	pn533_unregister_device(phy->priv);
+ error:
++	usb_kill_urb(phy->in_urb);
++	usb_kill_urb(phy->out_urb);
++	usb_kill_urb(phy->ack_urb);
++
+ 	usb_free_urb(phy->in_urb);
+ 	usb_free_urb(phy->out_urb);
+ 	usb_free_urb(phy->ack_urb);
+ 	usb_put_dev(phy->udev);
+ 	kfree(in_buf);
++	kfree(phy->ack_buffer);
+ 
+ 	return rc;
+ }
diff --git a/queue-4.14/rxrpc-fix-call-ref-leak.patch b/queue-4.14/rxrpc-fix-call-ref-leak.patch
new file mode 100644
index 00000000000..8def05abe76
--- /dev/null
+++ b/queue-4.14/rxrpc-fix-call-ref-leak.patch
@@ -0,0 +1,47 @@
+From c48fc11b69e95007109206311b0187a3090591f3 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 7 Oct 2019 10:58:28 +0100
+Subject: rxrpc: Fix call ref leak
+
+From: David Howells <dhowells@redhat.com>
+
+commit c48fc11b69e95007109206311b0187a3090591f3 upstream.
+
+When sendmsg() finds a call to continue on with, if the call is in an
+inappropriate state, it doesn't release the ref it just got on that call
+before returning an error.
+
+This causes the following symptom to show up with kasan:
+
+	BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
+	net/rxrpc/output.c:635
+	Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077
+
+where line 635 is:
+
+	whdr.epoch	= htonl(peer->local->rxnet->epoch);
+
+The local endpoint (which cannot be pinned by the call) has been released,
+but not the peer (which is pinned by the call).
+
+Fix this by releasing the call in the error path.
+
+Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception")
+Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rxrpc/sendmsg.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -586,6 +586,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *
+ 		case RXRPC_CALL_SERVER_PREALLOC:
+ 		case RXRPC_CALL_SERVER_SECURING:
+ 		case RXRPC_CALL_SERVER_ACCEPTING:
++			rxrpc_put_call(call, rxrpc_call_put);
+ 			ret = -EBUSY;
+ 			goto error_release_sock;
+ 		default:
diff --git a/queue-4.14/sch_netem-fix-rcu-splat-in-netem_enqueue.patch b/queue-4.14/sch_netem-fix-rcu-splat-in-netem_enqueue.patch
new file mode 100644
index 00000000000..6e20ebc9ef6
--- /dev/null
+++ b/queue-4.14/sch_netem-fix-rcu-splat-in-netem_enqueue.patch
@@ -0,0 +1,102 @@
+From 159d2c7d8106177bd9a986fd005a311fe0d11285 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 24 Sep 2019 13:11:26 -0700
+Subject: sch_netem: fix rcu splat in netem_enqueue()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 159d2c7d8106177bd9a986fd005a311fe0d11285 upstream.
+
+qdisc_root() use from netem_enqueue() triggers a lockdep warning.
+
+__dev_queue_xmit() uses rcu_read_lock_bh() which is
+not equivalent to rcu_read_lock() + local_bh_disable_bh as far
+as lockdep is concerned.
+
+WARNING: suspicious RCU usage
+5.3.0-rc7+ #0 Not tainted
+-----------------------------
+include/net/sch_generic.h:492 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+3 locks held by syz-executor427/8855:
+ #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
+ #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2dc/0x2570 net/ipv4/ip_output.c:214
+ #1: 00000000b5525c01 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x20a/0x3650 net/core/dev.c:3804
+ #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
+ #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_xmit_skb net/core/dev.c:3502 [inline]
+ #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_queue_xmit+0x14b8/0x3650 net/core/dev.c:3838
+
+stack backtrace:
+CPU: 0 PID: 8855 Comm: syz-executor427 Not tainted 5.3.0-rc7+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5357
+ qdisc_root include/net/sch_generic.h:492 [inline]
+ netem_enqueue+0x1cfb/0x2d80 net/sched/sch_netem.c:479
+ __dev_xmit_skb net/core/dev.c:3527 [inline]
+ __dev_queue_xmit+0x15d2/0x3650 net/core/dev.c:3838
+ dev_queue_xmit+0x18/0x20 net/core/dev.c:3902
+ neigh_hh_output include/net/neighbour.h:500 [inline]
+ neigh_output include/net/neighbour.h:509 [inline]
+ ip_finish_output2+0x1726/0x2570 net/ipv4/ip_output.c:228
+ __ip_finish_output net/ipv4/ip_output.c:308 [inline]
+ __ip_finish_output+0x5fc/0xb90 net/ipv4/ip_output.c:290
+ ip_finish_output+0x38/0x1f0 net/ipv4/ip_output.c:318
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip_mc_output+0x292/0xf40 net/ipv4/ip_output.c:417
+ dst_output include/net/dst.h:436 [inline]
+ ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:125
+ ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1555
+ udp_send_skb.isra.0+0x6b2/0x1160 net/ipv4/udp.c:887
+ udp_sendmsg+0x1e96/0x2820 net/ipv4/udp.c:1174
+ inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
+ __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg net/socket.c:2439 [inline]
+ __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
+ do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/sch_generic.h |    5 +++++
+ net/sched/sch_netem.c     |    2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -305,6 +305,11 @@ static inline struct Qdisc *qdisc_root(c
+ 	return q;
+ }
+ 
++static inline struct Qdisc *qdisc_root_bh(const struct Qdisc *qdisc)
++{
++	return rcu_dereference_bh(qdisc->dev_queue->qdisc);
++}
++
+ static inline struct Qdisc *qdisc_root_sleeping(const struct Qdisc *qdisc)
+ {
+ 	return qdisc->dev_queue->qdisc_sleeping;
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -469,7 +469,7 @@ static int netem_enqueue(struct sk_buff
+ 	 * skb will be queued.
+ 	 */
+ 	if (count > 1 && (skb2 = skb_clone(skb, GFP_ATOMIC)) != NULL) {
+-		struct Qdisc *rootq = qdisc_root(sch);
++		struct Qdisc *rootq = qdisc_root_bh(sch);
+ 		u32 dupsave = q->duplicate; /* prevent duplicating a dup... */
+ 
+ 		q->duplicate = 0;
diff --git a/queue-4.14/series b/queue-4.14/series
index 73bf8158462..582caba2142 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -81,3 +81,11 @@ s390-idle-fix-cpu-idle-time-calculation.patch
 arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch
 rtlwifi-fix-potential-overflow-on-p2p-code.patch
 dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch
+llc-fix-sk_buff-leak-in-llc_sap_state_process.patch
+llc-fix-sk_buff-leak-in-llc_conn_service.patch
+rxrpc-fix-call-ref-leak.patch
+nfc-pn533-fix-use-after-free-and-memleaks.patch
+bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch
+blackhole_netdev-fix-syzkaller-reported-issue.patch
+net-usb-sr9800-fix-uninitialized-local-variable.patch
+sch_netem-fix-rcu-splat-in-netem_enqueue.patch