--- /dev/null
+From 212ac181c158c09038c474ba68068be49caecebb Mon Sep 17 00:00:00 2001
+From: Zubin Mithra <zsm@chromium.org>
+Date: Thu, 4 Apr 2019 14:33:55 -0700
+Subject: ALSA: seq: Fix OOB-reads from strlcpy
+
+From: Zubin Mithra <zsm@chromium.org>
+
+commit 212ac181c158c09038c474ba68068be49caecebb upstream.
+
+When ioctl calls are made with non-null-terminated userspace strings,
+strlcpy causes an OOB-read from within strlen. Fix by changing to use
+strscpy instead.
+
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info
+
+ /* fill the info fields */
+ if (client_info.name[0])
+- strlcpy(client->name, client_info.name, sizeof(client->name));
++ strscpy(client->name, client_info.name, sizeof(client->name));
+
+ client->filter = client_info.filter;
+ client->event_lost = client_info.event_lost;
+@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(st
+ /* set queue name */
+ if (! info.name[0])
+ snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue);
+- strlcpy(q->name, info.name, sizeof(q->name));
++ strscpy(q->name, info.name, sizeof(q->name));
+ queuefree(q);
+
+ if (copy_to_user(arg, &info, sizeof(info)))
+@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info(
+ queuefree(q);
+ return -EPERM;
+ }
+- strlcpy(q->name, info.name, sizeof(q->name));
++ strscpy(q->name, info.name, sizeof(q->name));
+ queuefree(q);
+
+ return 0;
--- /dev/null
+From foo@baz Mon Apr 15 07:47:06 CEST 2019
+From: Sheena Mira-ato <sheena.mira-ato@alliedtelesis.co.nz>
+Date: Mon, 1 Apr 2019 13:04:42 +1300
+Subject: ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type
+
+From: Sheena Mira-ato <sheena.mira-ato@alliedtelesis.co.nz>
+
+[ Upstream commit b2e54b09a3d29c4db883b920274ca8dca4d9f04d ]
+
+The device type for ip6 tunnels is set to
+ARPHRD_TUNNEL6. However, the ip4ip6_err function
+is expecting the device type of the tunnel to be
+ARPHRD_TUNNEL. Since the device types do not
+match, the function exits and the ICMP error
+packet is not sent to the originating host. Note
+that the device type for IPv4 tunnels is set to
+ARPHRD_TUNNEL.
+
+Fix is to expect a tunnel device type of
+ARPHRD_TUNNEL6 instead. Now the tunnel device
+type matches and the ICMP error packet is sent
+to the originating host.
+
+Signed-off-by: Sheena Mira-ato <sheena.mira-ato@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -638,7 +638,7 @@ ip4ip6_err(struct sk_buff *skb, struct i
+ IPPROTO_IPIP,
+ RT_TOS(eiph->tos), 0);
+ if (IS_ERR(rt) ||
+- rt->dst.dev->type != ARPHRD_TUNNEL) {
++ rt->dst.dev->type != ARPHRD_TUNNEL6) {
+ if (!IS_ERR(rt))
+ ip_rt_put(rt);
+ goto out;
+@@ -648,7 +648,7 @@ ip4ip6_err(struct sk_buff *skb, struct i
+ ip_rt_put(rt);
+ if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos,
+ skb2->dev) ||
+- skb_dst(skb2)->dev->type != ARPHRD_TUNNEL)
++ skb_dst(skb2)->dev->type != ARPHRD_TUNNEL6)
+ goto out;
+ }
+
--- /dev/null
+From foo@baz Mon Apr 15 07:47:06 CEST 2019
+From: Li RongQing <lirongqing@baidu.com>
+Date: Fri, 29 Mar 2019 09:18:02 +0800
+Subject: net: ethtool: not call vzalloc for zero sized memory request
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit 3d8830266ffc28c16032b859e38a0252e014b631 ]
+
+NULL or ZERO_SIZE_PTR will be returned for zero sized memory
+request, and derefencing them will lead to a segfault
+
+so it is unnecessory to call vzalloc for zero sized memory
+request and not call functions which maybe derefence the
+NULL allocated memory
+
+this also fixes a possible memory leak if phy_ethtool_get_stats
+returns error, memory should be freed before exit
+
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Reviewed-by: Wang Li <wangli39@baidu.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/ethtool.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -1257,17 +1257,22 @@ static int ethtool_get_strings(struct ne
+
+ gstrings.len = ret;
+
+- data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER);
+- if (!data)
+- return -ENOMEM;
++ if (gstrings.len) {
++ data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER);
++ if (!data)
++ return -ENOMEM;
+
+- __ethtool_get_strings(dev, gstrings.string_set, data);
++ __ethtool_get_strings(dev, gstrings.string_set, data);
++ } else {
++ data = NULL;
++ }
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &gstrings, sizeof(gstrings)))
+ goto out;
+ useraddr += sizeof(gstrings);
+- if (copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))
++ if (gstrings.len &&
++ copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))
+ goto out;
+ ret = 0;
+
+@@ -1355,17 +1360,21 @@ static int ethtool_get_stats(struct net_
+ return -EFAULT;
+
+ stats.n_stats = n_stats;
+- data = kmalloc(n_stats * sizeof(u64), GFP_USER);
+- if (!data)
+- return -ENOMEM;
++ if (n_stats) {
++ data = kmalloc(n_stats * sizeof(u64), GFP_USER);
++ if (!data)
++ return -ENOMEM;
+
+- ops->get_ethtool_stats(dev, &stats, data);
++ ops->get_ethtool_stats(dev, &stats, data);
++ } else {
++ data = NULL;
++ }
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &stats, sizeof(stats)))
+ goto out;
+ useraddr += sizeof(stats);
+- if (copy_to_user(useraddr, data, stats.n_stats * sizeof(u64)))
++ if (n_stats && copy_to_user(useraddr, data, n_stats * sizeof(u64)))
+ goto out;
+ ret = 0;
+
--- /dev/null
+From foo@baz Mon Apr 15 07:47:06 CEST 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 27 Mar 2019 08:21:30 -0700
+Subject: netns: provide pure entropy for net_hash_mix()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 355b98553789b646ed97ad801a619ff898471b92 ]
+
+net_hash_mix() currently uses kernel address of a struct net,
+and is used in many places that could be used to reveal this
+address to a patient attacker, thus defeating KASLR, for
+the typical case (initial net namespace, &init_net is
+not dynamically allocated)
+
+I believe the original implementation tried to avoid spending
+too many cycles in this function, but security comes first.
+
+Also provide entropy regardless of CONFIG_NET_NS.
+
+Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Reported-by: Benny Pinkas <benny@pinkas.net>
+Cc: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/net_namespace.h | 2 ++
+ include/net/netns/hash.h | 15 ++-------------
+ net/core/net_namespace.c | 1 +
+ 3 files changed, 5 insertions(+), 13 deletions(-)
+
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -54,6 +54,8 @@ struct net {
+ #endif
+ spinlock_t rules_mod_lock;
+
++ u32 hash_mix;
++
+ struct list_head list; /* list of network namespaces */
+ struct list_head cleanup_list; /* namespaces on death row */
+ struct list_head exit_list; /* Use only net_mutex */
+--- a/include/net/netns/hash.h
++++ b/include/net/netns/hash.h
+@@ -1,21 +1,10 @@
+ #ifndef __NET_NS_HASH_H__
+ #define __NET_NS_HASH_H__
+
+-#include <asm/cache.h>
+-
+-struct net;
++#include <net/net_namespace.h>
+
+ static inline unsigned int net_hash_mix(struct net *net)
+ {
+-#ifdef CONFIG_NET_NS
+- /*
+- * shift this right to eliminate bits, that are
+- * always zeroed
+- */
+-
+- return (unsigned)(((unsigned long)net) >> L1_CACHE_SHIFT);
+-#else
+- return 0;
+-#endif
++ return net->hash_mix;
+ }
+ #endif
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -156,6 +156,7 @@ static __net_init int setup_net(struct n
+
+ atomic_set(&net->count, 1);
+ atomic_set(&net->passive, 1);
++ get_random_bytes(&net->hash_mix, sizeof(u32));
+ net->dev_base_seq = 1;
+ net->user_ns = user_ns;
+
--- /dev/null
+From foo@baz Mon Apr 15 10:13:34 CEST 2019
+From: Andrea Righi <andrea.righi@canonical.com>
+Date: Thu, 28 Mar 2019 07:36:00 +0100
+Subject: openvswitch: fix flow actions reallocation
+
+From: Andrea Righi <andrea.righi@canonical.com>
+
+[ Upstream commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb ]
+
+The flow action buffer can be resized if it's not big enough to contain
+all the requested flow actions. However, this resize doesn't take into
+account the new requested size, the buffer is only increased by a factor
+of 2x. This might be not enough to contain the new data, causing a
+buffer overflow, for example:
+
+[ 42.044472] =============================================================================
+[ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten
+[ 42.046415] -----------------------------------------------------------------------------
+
+[ 42.047715] Disabling lock debugging due to kernel taint
+[ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc
+[ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101
+[ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb
+
+[ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........
+[ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l...
+[ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x...
+[ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ...............
+[ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+[ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+[ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+[ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 ....
+[ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+
+Fix by making sure the new buffer is properly resized to contain all the
+requested data.
+
+BugLink: https://bugs.launchpad.net/bugs/1813244
+Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/flow_netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -1261,14 +1261,14 @@ static struct nlattr *reserve_sfa_size(s
+
+ struct sw_flow_actions *acts;
+ int new_acts_size;
+- int req_size = NLA_ALIGN(attr_len);
++ size_t req_size = NLA_ALIGN(attr_len);
+ int next_offset = offsetof(struct sw_flow_actions, actions) +
+ (*sfa)->actions_len;
+
+ if (req_size <= (ksize(*sfa) - next_offset))
+ goto out;
+
+- new_acts_size = ksize(*sfa) * 2;
++ new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
+
+ if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
+ if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size)
--- /dev/null
+From foo@baz Mon Apr 15 10:13:34 CEST 2019
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Wed, 27 Mar 2019 15:26:01 +0100
+Subject: qmi_wwan: add Olicard 600
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+[ Upstream commit 6289d0facd9ebce4cc83e5da39e15643ee998dc5 ]
+
+This is a Qualcomm based device with a QMI function on interface 4.
+It is mode switched from 2020:2030 using a standard eject message.
+
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 6 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2020 ProdID=2031 Rev= 2.32
+S: Manufacturer=Mobile Connect
+S: Product=Mobile Connect
+S: SerialNumber=0123456789ABCDEF
+C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
+E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -759,6 +759,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */
+ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */
+ {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */
++ {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */
+ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */
+ {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
--- /dev/null
+From foo@baz Mon Apr 15 10:13:34 CEST 2019
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 16:58:15 +0800
+Subject: sctp: initialize _pad of sockaddr_in before copying to user memory
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 09279e615c81ce55e04835970601ae286e3facbe ]
+
+Syzbot report a kernel-infoleak:
+
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ Call Trace:
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ copy_to_user include/linux/uaccess.h:174 [inline]
+ sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
+ sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
+ ...
+ Uninit was stored to memory at:
+ sctp_transport_init net/sctp/transport.c:61 [inline]
+ sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
+ sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
+ sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
+ sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
+ ...
+ Bytes 8-15 of 16 are uninitialized
+
+It was caused by that th _pad field (the 8-15 bytes) of a v4 addr (saved in
+struct sockaddr_in) wasn't initialized, but directly copied to user memory
+in sctp_getsockopt_peer_addrs().
+
+So fix it by calling memset(addr->v4.sin_zero, 0, 8) to initialize _pad of
+sockaddr_in before copying it to user memory in sctp_v4_addr_to_user(), as
+sctp_v6_addr_to_user() does.
+
+Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/protocol.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -578,6 +578,7 @@ out:
+ static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
+ {
+ /* No address mapping for V4 sockets */
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ return sizeof(struct sockaddr_in);
+ }
+
drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch
binfmt_elf-switch-to-new-creds-when-switching-to-new-mm.patch
lib-string.c-implement-a-basic-bcmp.patch
+tty-mark-siemens-r3964-line-discipline-as-broken.patch
+tty-ldisc-add-sysctl-to-prevent-autoloading-of-ldiscs.patch
+openvswitch-fix-flow-actions-reallocation.patch
+qmi_wwan-add-olicard-600.patch
+sctp-initialize-_pad-of-sockaddr_in-before-copying-to-user-memory.patch
+netns-provide-pure-entropy-for-net_hash_mix.patch
+net-ethtool-not-call-vzalloc-for-zero-sized-memory-request.patch
+ip6_tunnel-match-to-arphrd_tunnel6-for-dev-type.patch
+alsa-seq-fix-oob-reads-from-strlcpy.patch
--- /dev/null
+From 7c0cca7c847e6e019d67b7d793efbbe3b947d004 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 21 Jan 2019 17:26:42 +0100
+Subject: tty: ldisc: add sysctl to prevent autoloading of ldiscs
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 7c0cca7c847e6e019d67b7d793efbbe3b947d004 upstream.
+
+By default, the kernel will automatically load the module of any line
+dicipline that is asked for. As this sometimes isn't the safest thing
+to do, provide a sysctl to disable this feature.
+
+By default, we set this to 'y' as that is the historical way that Linux
+has worked, and we do not want to break working systems. But in the
+future, perhaps this can default to 'n' to prevent this functionality.
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/Kconfig | 23 +++++++++++++++++++++++
+ drivers/tty/tty_io.c | 3 +++
+ drivers/tty/tty_ldisc.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 73 insertions(+)
+
+--- a/drivers/tty/Kconfig
++++ b/drivers/tty/Kconfig
+@@ -419,4 +419,27 @@ config DA_CONSOLE
+ help
+ This enables a console on a Dash channel.
+
++config LDISC_AUTOLOAD
++ bool "Automatically load TTY Line Disciplines"
++ default y
++ help
++ Historically the kernel has always automatically loaded any
++ line discipline that is in a kernel module when a user asks
++ for it to be loaded with the TIOCSETD ioctl, or through other
++ means. This is not always the best thing to do on systems
++ where you know you will not be using some of the more
++ "ancient" line disciplines, so prevent the kernel from doing
++ this unless the request is coming from a process with the
++ CAP_SYS_MODULE permissions.
++
++ Say 'Y' here if you trust your userspace users to do the right
++ thing, or if you have only provided the line disciplines that
++ you know you will be using, or if you wish to continue to use
++ the traditional method of on-demand loading of these modules
++ by any user.
++
++ This functionality can be changed at runtime with the
++ dev.tty.ldisc_autoload sysctl, this configuration option will
++ only set the default value of this functionality.
++
+ endif # TTY
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -492,6 +492,8 @@ static const struct file_operations hung
+ static DEFINE_SPINLOCK(redirect_lock);
+ static struct file *redirect;
+
++extern void tty_sysctl_init(void);
++
+ /**
+ * tty_wakeup - request more data
+ * @tty: terminal
+@@ -3625,6 +3627,7 @@ void console_sysfs_notify(void)
+ */
+ int __init tty_init(void)
+ {
++ tty_sysctl_init();
+ cdev_init(&tty_cdev, &tty_fops);
+ if (cdev_add(&tty_cdev, MKDEV(TTYAUX_MAJOR, 0), 1) ||
+ register_chrdev_region(MKDEV(TTYAUX_MAJOR, 0), 1, "/dev/tty") < 0)
+--- a/drivers/tty/tty_ldisc.c
++++ b/drivers/tty/tty_ldisc.c
+@@ -151,6 +151,13 @@ static void put_ldops(struct tty_ldisc_o
+ * takes tty_ldiscs_lock to guard against ldisc races
+ */
+
++#if defined(CONFIG_LDISC_AUTOLOAD)
++ #define INITIAL_AUTOLOAD_STATE 1
++#else
++ #define INITIAL_AUTOLOAD_STATE 0
++#endif
++static int tty_ldisc_autoload = INITIAL_AUTOLOAD_STATE;
++
+ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc)
+ {
+ struct tty_ldisc *ld;
+@@ -165,6 +172,8 @@ static struct tty_ldisc *tty_ldisc_get(s
+ */
+ ldops = get_ldops(disc);
+ if (IS_ERR(ldops)) {
++ if (!capable(CAP_SYS_MODULE) && !tty_ldisc_autoload)
++ return ERR_PTR(-EPERM);
+ request_module("tty-ldisc-%d", disc);
+ ldops = get_ldops(disc);
+ if (IS_ERR(ldops))
+@@ -831,3 +840,41 @@ void tty_ldisc_begin(void)
+ /* Setup the default TTY line discipline. */
+ (void) tty_register_ldisc(N_TTY, &tty_ldisc_N_TTY);
+ }
++
++static int zero;
++static int one = 1;
++static struct ctl_table tty_table[] = {
++ {
++ .procname = "ldisc_autoload",
++ .data = &tty_ldisc_autoload,
++ .maxlen = sizeof(tty_ldisc_autoload),
++ .mode = 0644,
++ .proc_handler = proc_dointvec,
++ .extra1 = &zero,
++ .extra2 = &one,
++ },
++ { }
++};
++
++static struct ctl_table tty_dir_table[] = {
++ {
++ .procname = "tty",
++ .mode = 0555,
++ .child = tty_table,
++ },
++ { }
++};
++
++static struct ctl_table tty_root_table[] = {
++ {
++ .procname = "dev",
++ .mode = 0555,
++ .child = tty_dir_table,
++ },
++ { }
++};
++
++void tty_sysctl_init(void)
++{
++ register_sysctl_table(tty_root_table);
++}
--- /dev/null
+From c7084edc3f6d67750f50d4183134c4fb5712a5c8 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 5 Apr 2019 15:39:26 +0200
+Subject: tty: mark Siemens R3964 line discipline as BROKEN
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit c7084edc3f6d67750f50d4183134c4fb5712a5c8 upstream.
+
+The n_r3964 line discipline driver was written in a different time, when
+SMP machines were rare, and users were trusted to do the right thing.
+Since then, the world has moved on but not this code, it has stayed
+rooted in the past with its lovely hand-crafted list structures and
+loads of "interesting" race conditions all over the place.
+
+After attempting to clean up most of the issues, I just gave up and am
+now marking the driver as BROKEN so that hopefully someone who has this
+hardware will show up out of the woodwork (I know you are out there!)
+and will help with debugging a raft of changes that I had laying around
+for the code, but was too afraid to commit as odds are they would break
+things.
+
+Many thanks to Jann and Linus for pointing out the initial problems in
+this codebase, as well as many reviews of my attempts to fix the issues.
+It was a case of whack-a-mole, and as you can see, the mole won.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+---
+ drivers/char/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/Kconfig
++++ b/drivers/char/Kconfig
+@@ -380,7 +380,7 @@ config XILINX_HWICAP
+
+ config R3964
+ tristate "Siemens R3964 line discipline"
+- depends on TTY
++ depends on TTY && BROKEN
+ ---help---
+ This driver allows synchronous communication with devices using the
+ Siemens R3964 packet protocol. Unless you are dealing with special