--- /dev/null
+From 72ff2bf04db2a48840df93a461b7115900f46c05 Mon Sep 17 00:00:00 2001
+From: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
+Date: Sun, 22 Aug 2021 09:15:14 +0530
+Subject: crypto: aesni - xts_crypt() return if walk.nbytes is 0
+
+From: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
+
+commit 72ff2bf04db2a48840df93a461b7115900f46c05 upstream.
+
+xts_crypt() code doesn't call kernel_fpu_end() after calling
+kernel_fpu_begin() if walk.nbytes is 0. The correct behavior should be
+not calling kernel_fpu_begin() if walk.nbytes is 0.
+
+Reported-by: syzbot+20191dc583eff8602d2d@syzkaller.appspotmail.com
+Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/crypto/aesni-intel_glue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -849,7 +849,7 @@ static int xts_crypt(struct skcipher_req
+ return -EINVAL;
+
+ err = skcipher_walk_virt(&walk, req, false);
+- if (err)
++ if (!walk.nbytes)
+ return err;
+
+ if (unlikely(tail > 0 && walk.nbytes < walk.total)) {
--- /dev/null
+From 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 Mon Sep 17 00:00:00 2001
+From: "F.A.Sulaiman" <asha.16@itfac.mrt.ac.lk>
+Date: Tue, 24 Aug 2021 20:37:30 +0530
+Subject: HID: betop: fix slab-out-of-bounds Write in betop_probe
+
+From: F.A.Sulaiman <asha.16@itfac.mrt.ac.lk>
+
+commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream.
+
+Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver.
+The problem is the driver assumes the device must have an input report but
+some malicious devices violate this assumption.
+
+So this patch checks hid_device's input is non empty before it's been used.
+
+Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com
+Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>
+Reviewed-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-betopff.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-betopff.c
++++ b/drivers/hid/hid-betopff.c
+@@ -56,15 +56,22 @@ static int betopff_init(struct hid_devic
+ {
+ struct betopff_device *betopff;
+ struct hid_report *report;
+- struct hid_input *hidinput =
+- list_first_entry(&hid->inputs, struct hid_input, list);
++ struct hid_input *hidinput;
+ struct list_head *report_list =
+ &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+- struct input_dev *dev = hidinput->input;
++ struct input_dev *dev;
+ int field_count = 0;
+ int error;
+ int i, j;
+
++ if (list_empty(&hid->inputs)) {
++ hid_err(hid, "no inputs found\n");
++ return -ENODEV;
++ }
++
++ hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
++ dev = hidinput->input;
++
+ if (list_empty(report_list)) {
+ hid_err(hid, "no output reports found\n");
+ return -ENODEV;
--- /dev/null
+From f7744fa16b96da57187dc8e5634152d3b63d72de Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Thu, 24 Jun 2021 00:10:29 +0530
+Subject: HID: usbhid: free raw_report buffers in usbhid_stop
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit f7744fa16b96da57187dc8e5634152d3b63d72de upstream.
+
+Free the unsent raw_report buffers when the device is removed.
+
+Fixes a memory leak reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47
+
+Reported-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
+Tested-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/usbhid/hid-core.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -505,7 +505,7 @@ static void hid_ctrl(struct urb *urb)
+
+ if (unplug) {
+ usbhid->ctrltail = usbhid->ctrlhead;
+- } else {
++ } else if (usbhid->ctrlhead != usbhid->ctrltail) {
+ usbhid->ctrltail = (usbhid->ctrltail + 1) & (HID_CONTROL_FIFO_SIZE - 1);
+
+ if (usbhid->ctrlhead != usbhid->ctrltail &&
+@@ -1223,9 +1223,20 @@ static void usbhid_stop(struct hid_devic
+ mutex_lock(&usbhid->mutex);
+
+ clear_bit(HID_STARTED, &usbhid->iofl);
++
+ spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */
+ set_bit(HID_DISCONNECTED, &usbhid->iofl);
++ while (usbhid->ctrltail != usbhid->ctrlhead) {
++ if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_OUT) {
++ kfree(usbhid->ctrl[usbhid->ctrltail].raw_report);
++ usbhid->ctrl[usbhid->ctrltail].raw_report = NULL;
++ }
++
++ usbhid->ctrltail = (usbhid->ctrltail + 1) &
++ (HID_CONTROL_FIFO_SIZE - 1);
++ }
+ spin_unlock_irq(&usbhid->lock);
++
+ usb_kill_urb(usbhid->urbin);
+ usb_kill_urb(usbhid->urbout);
+ usb_kill_urb(usbhid->urbctrl);
--- /dev/null
+From eb7511bf9182292ef1df1082d23039e856d1ddfb Mon Sep 17 00:00:00 2001
+From: Haimin Zhang <tcs_kernel@tencent.com>
+Date: Fri, 3 Sep 2021 10:37:06 +0800
+Subject: KVM: x86: Handle SRCU initialization failure during page track init
+
+From: Haimin Zhang <tcs_kernel@tencent.com>
+
+commit eb7511bf9182292ef1df1082d23039e856d1ddfb upstream.
+
+Check the return of init_srcu_struct(), which can fail due to OOM, when
+initializing the page track mechanism. Lack of checking leads to a NULL
+pointer deref found by a modified syzkaller.
+
+Reported-by: TCS Robot <tcs_robot@tencent.com>
+Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
+Message-Id: <1630636626-12262-1-git-send-email-tcs_kernel@tencent.com>
+[Move the call towards the beginning of kvm_arch_init_vm. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm_page_track.h | 2 +-
+ arch/x86/kvm/mmu/page_track.c | 4 ++--
+ arch/x86/kvm/x86.c | 7 ++++++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_page_track.h
++++ b/arch/x86/include/asm/kvm_page_track.h
+@@ -46,7 +46,7 @@ struct kvm_page_track_notifier_node {
+ struct kvm_page_track_notifier_node *node);
+ };
+
+-void kvm_page_track_init(struct kvm *kvm);
++int kvm_page_track_init(struct kvm *kvm);
+ void kvm_page_track_cleanup(struct kvm *kvm);
+
+ void kvm_page_track_free_memslot(struct kvm_memory_slot *slot);
+--- a/arch/x86/kvm/mmu/page_track.c
++++ b/arch/x86/kvm/mmu/page_track.c
+@@ -163,13 +163,13 @@ void kvm_page_track_cleanup(struct kvm *
+ cleanup_srcu_struct(&head->track_srcu);
+ }
+
+-void kvm_page_track_init(struct kvm *kvm)
++int kvm_page_track_init(struct kvm *kvm)
+ {
+ struct kvm_page_track_notifier_head *head;
+
+ head = &kvm->arch.track_notifier_head;
+- init_srcu_struct(&head->track_srcu);
+ INIT_HLIST_HEAD(&head->track_notifier_list);
++ return init_srcu_struct(&head->track_srcu);
+ }
+
+ /*
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -11093,9 +11093,15 @@ void kvm_arch_free_vm(struct kvm *kvm)
+
+ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+ {
++ int ret;
++
+ if (type)
+ return -EINVAL;
+
++ ret = kvm_page_track_init(kvm);
++ if (ret)
++ return ret;
++
+ INIT_HLIST_HEAD(&kvm->arch.mask_notifier_list);
+ INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
+ INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
+@@ -11128,7 +11134,6 @@ int kvm_arch_init_vm(struct kvm *kvm, un
+
+ kvm_apicv_init(kvm);
+ kvm_hv_init_vm(kvm);
+- kvm_page_track_init(kvm);
+ kvm_mmu_init_vm(kvm);
+
+ return static_call(kvm_x86_vm_init)(kvm);
--- /dev/null
+From 7661809d493b426e979f39ab512e3adf41fbcc69 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 14 Jul 2021 09:45:49 -0700
+Subject: mm: don't allow oversized kvmalloc() calls
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 7661809d493b426e979f39ab512e3adf41fbcc69 upstream.
+
+'kvmalloc()' is a convenience function for people who want to do a
+kmalloc() but fall back on vmalloc() if there aren't enough physically
+contiguous pages, or if the allocation is larger than what kmalloc()
+supports.
+
+However, let's make sure it doesn't get _too_ easy to do crazy things
+with it. In particular, don't allow big allocations that could be due
+to integer overflow or underflow. So make sure the allocation size fits
+in an 'int', to protect against trivial integer conversion issues.
+
+Acked-by: Willy Tarreau <w@1wt.eu>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/util.c
++++ b/mm/util.c
+@@ -593,6 +593,10 @@ void *kvmalloc_node(size_t size, gfp_t f
+ if (ret || size <= PAGE_SIZE)
+ return ret;
+
++ /* Don't even allow crazy sizes */
++ if (WARN_ON_ONCE(size > INT_MAX))
++ return NULL;
++
+ return __vmalloc_node(size, 1, flags, node,
+ __builtin_return_address(0));
+ }
--- /dev/null
+From ab609f25d19858513919369ff3d9a63c02cd9e2e Mon Sep 17 00:00:00 2001
+From: Yanfei Xu <yanfei.xu@windriver.com>
+Date: Sun, 26 Sep 2021 12:53:13 +0800
+Subject: net: mdiobus: Fix memory leak in __mdiobus_register
+
+From: Yanfei Xu <yanfei.xu@windriver.com>
+
+commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream.
+
+Once device_register() failed, we should call put_device() to
+decrement reference count for cleanup. Or it will cause memory
+leak.
+
+BUG: memory leak
+unreferenced object 0xffff888114032e00 (size 256):
+ comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff ................
+ 08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff .........ve.....
+ backtrace:
+ [<ffffffff8265cfab>] kmalloc include/linux/slab.h:591 [inline]
+ [<ffffffff8265cfab>] kzalloc include/linux/slab.h:721 [inline]
+ [<ffffffff8265cfab>] device_private_init drivers/base/core.c:3203 [inline]
+ [<ffffffff8265cfab>] device_add+0x89b/0xdf0 drivers/base/core.c:3253
+ [<ffffffff828dd643>] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537
+ [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
+ [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
+ [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
+ [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
+ [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+ [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
+ [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
+ [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
+ [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
+ [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
+ [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
+ [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+ [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
+ [<ffffffff82660916>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
+ [<ffffffff8265cd0b>] device_add+0x5fb/0xdf0 drivers/base/core.c:3359
+ [<ffffffff82c343b9>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170
+ [<ffffffff82c4473c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
+
+BUG: memory leak
+unreferenced object 0xffff888116f06900 (size 32):
+ comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s)
+ hex dump (first 32 bytes):
+ 75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00 usb-001:003.....
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81484516>] kstrdup+0x36/0x70 mm/util.c:60
+ [<ffffffff814845a3>] kstrdup_const+0x53/0x80 mm/util.c:83
+ [<ffffffff82296ba2>] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
+ [<ffffffff82358d4b>] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
+ [<ffffffff826575f3>] dev_set_name+0x63/0x90 drivers/base/core.c:3147
+ [<ffffffff828dd63b>] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535
+ [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
+ [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
+ [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
+ [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
+ [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+ [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
+ [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
+ [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
+ [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
+ [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
+ [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
+ [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+ [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
+
+Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
+Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -541,6 +541,7 @@ int __mdiobus_register(struct mii_bus *b
+ err = device_register(&bus->dev);
+ if (err) {
+ pr_err("mii_bus %s failed to register\n", bus->id);
++ put_device(&bus->dev);
+ return -EINVAL;
+ }
+
--- /dev/null
+From e9edc188fc76499b0b9bd60364084037f6d03773 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 17 Sep 2021 15:15:56 -0700
+Subject: netfilter: conntrack: serialize hash resizes and cleanups
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e9edc188fc76499b0b9bd60364084037f6d03773 upstream.
+
+Syzbot was able to trigger the following warning [1]
+
+No repro found by syzbot yet but I was able to trigger similar issue
+by having 2 scripts running in parallel, changing conntrack hash sizes,
+and:
+
+for j in `seq 1 1000` ; do unshare -n /bin/true >/dev/null ; done
+
+It would take more than 5 minutes for net_namespace structures
+to be cleaned up.
+
+This is because nf_ct_iterate_cleanup() has to restart everytime
+a resize happened.
+
+By adding a mutex, we can serialize hash resizes and cleanups
+and also make get_next_corpse() faster by skipping over empty
+buckets.
+
+Even without resizes in the picture, this patch considerably
+speeds up network namespace dismantles.
+
+[1]
+INFO: task syz-executor.0:8312 can't die for more than 144 seconds.
+task:syz-executor.0 state:R running task stack:25672 pid: 8312 ppid: 6573 flags:0x00004006
+Call Trace:
+ context_switch kernel/sched/core.c:4955 [inline]
+ __schedule+0x940/0x26f0 kernel/sched/core.c:6236
+ preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408
+ preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35
+ __local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390
+ local_bh_enable include/linux/bottom_half.h:32 [inline]
+ get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline]
+ nf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275
+ nf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469
+ ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171
+ setup_net+0x639/0xa30 net/core/net_namespace.c:349
+ copy_net_ns+0x319/0x760 net/core/net_namespace.c:470
+ create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
+ unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
+ ksys_unshare+0x445/0x920 kernel/fork.c:3128
+ __do_sys_unshare kernel/fork.c:3202 [inline]
+ __se_sys_unshare kernel/fork.c:3200 [inline]
+ __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f63da68e739
+RSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
+RAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000
+RBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80
+R13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000
+
+Showing all locks held in the system:
+1 lock held by khungtaskd/27:
+ #0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446
+2 locks held by kworker/u4:2/153:
+ #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
+ #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline]
+ #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline]
+ #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline]
+ #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline]
+ #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268
+ #1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272
+1 lock held by systemd-udevd/2970:
+1 lock held by in:imklog/6258:
+ #0: ffff88807f970ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990
+3 locks held by kworker/1:6/8158:
+1 lock held by syz-executor.0/8312:
+2 locks held by kworker/u4:13/9320:
+1 lock held by syz-executor.5/10178:
+1 lock held by syz-executor.4/10217:
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_core.c | 70 ++++++++++++++++++++------------------
+ 1 file changed, 37 insertions(+), 33 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -75,6 +75,9 @@ static __read_mostly struct kmem_cache *
+ static DEFINE_SPINLOCK(nf_conntrack_locks_all_lock);
+ static __read_mostly bool nf_conntrack_locks_all;
+
++/* serialize hash resizes and nf_ct_iterate_cleanup */
++static DEFINE_MUTEX(nf_conntrack_mutex);
++
+ #define GC_SCAN_INTERVAL (120u * HZ)
+ #define GC_SCAN_MAX_DURATION msecs_to_jiffies(10)
+
+@@ -2192,28 +2195,31 @@ get_next_corpse(int (*iter)(struct nf_co
+ spinlock_t *lockp;
+
+ for (; *bucket < nf_conntrack_htable_size; (*bucket)++) {
++ struct hlist_nulls_head *hslot = &nf_conntrack_hash[*bucket];
++
++ if (hlist_nulls_empty(hslot))
++ continue;
++
+ lockp = &nf_conntrack_locks[*bucket % CONNTRACK_LOCKS];
+ local_bh_disable();
+ nf_conntrack_lock(lockp);
+- if (*bucket < nf_conntrack_htable_size) {
+- hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[*bucket], hnnode) {
+- if (NF_CT_DIRECTION(h) != IP_CT_DIR_REPLY)
+- continue;
+- /* All nf_conn objects are added to hash table twice, one
+- * for original direction tuple, once for the reply tuple.
+- *
+- * Exception: In the IPS_NAT_CLASH case, only the reply
+- * tuple is added (the original tuple already existed for
+- * a different object).
+- *
+- * We only need to call the iterator once for each
+- * conntrack, so we just use the 'reply' direction
+- * tuple while iterating.
+- */
+- ct = nf_ct_tuplehash_to_ctrack(h);
+- if (iter(ct, data))
+- goto found;
+- }
++ hlist_nulls_for_each_entry(h, n, hslot, hnnode) {
++ if (NF_CT_DIRECTION(h) != IP_CT_DIR_REPLY)
++ continue;
++ /* All nf_conn objects are added to hash table twice, one
++ * for original direction tuple, once for the reply tuple.
++ *
++ * Exception: In the IPS_NAT_CLASH case, only the reply
++ * tuple is added (the original tuple already existed for
++ * a different object).
++ *
++ * We only need to call the iterator once for each
++ * conntrack, so we just use the 'reply' direction
++ * tuple while iterating.
++ */
++ ct = nf_ct_tuplehash_to_ctrack(h);
++ if (iter(ct, data))
++ goto found;
+ }
+ spin_unlock(lockp);
+ local_bh_enable();
+@@ -2231,26 +2237,20 @@ found:
+ static void nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data),
+ void *data, u32 portid, int report)
+ {
+- unsigned int bucket = 0, sequence;
++ unsigned int bucket = 0;
+ struct nf_conn *ct;
+
+ might_sleep();
+
+- for (;;) {
+- sequence = read_seqcount_begin(&nf_conntrack_generation);
+-
+- while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) {
+- /* Time to push up daises... */
++ mutex_lock(&nf_conntrack_mutex);
++ while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) {
++ /* Time to push up daises... */
+
+- nf_ct_delete(ct, portid, report);
+- nf_ct_put(ct);
+- cond_resched();
+- }
+-
+- if (!read_seqcount_retry(&nf_conntrack_generation, sequence))
+- break;
+- bucket = 0;
++ nf_ct_delete(ct, portid, report);
++ nf_ct_put(ct);
++ cond_resched();
+ }
++ mutex_unlock(&nf_conntrack_mutex);
+ }
+
+ struct iter_data {
+@@ -2486,8 +2486,10 @@ int nf_conntrack_hash_resize(unsigned in
+ if (!hash)
+ return -ENOMEM;
+
++ mutex_lock(&nf_conntrack_mutex);
+ old_size = nf_conntrack_htable_size;
+ if (old_size == hashsize) {
++ mutex_unlock(&nf_conntrack_mutex);
+ kvfree(hash);
+ return 0;
+ }
+@@ -2523,6 +2525,8 @@ int nf_conntrack_hash_resize(unsigned in
+ nf_conntrack_all_unlock();
+ local_bh_enable();
+
++ mutex_unlock(&nf_conntrack_mutex);
++
+ synchronize_net();
+ kvfree(old_hash);
+ return 0;
--- /dev/null
+From 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+Date: Mon, 6 Sep 2021 18:26:34 +0200
+Subject: netfilter: ipset: Fix oversized kvmalloc() calls
+
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+
+commit 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 upstream.
+
+The commit
+
+commit 7661809d493b426e979f39ab512e3adf41fbcc69
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed Jul 14 09:45:49 2021 -0700
+
+ mm: don't allow oversized kvmalloc() calls
+
+limits the max allocatable memory via kvmalloc() to MAX_INT. Apply the
+same limit in ipset.
+
+Reported-by: syzbot+3493b1873fb3ea827986@syzkaller.appspotmail.com
+Reported-by: syzbot+2b8443c35458a617c904@syzkaller.appspotmail.com
+Reported-by: syzbot+ee5cb15f4a0e85e0d54e@syzkaller.appspotmail.com
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -130,11 +130,11 @@ htable_size(u8 hbits)
+ {
+ size_t hsize;
+
+- /* We must fit both into u32 in jhash and size_t */
++ /* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */
+ if (hbits > 31)
+ return 0;
+ hsize = jhash_size(hbits);
+- if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *)
++ if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *)
+ < hsize)
+ return 0;
+
--- /dev/null
+From 45928afe94a094bcda9af858b96673d59bc4a0e9 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 13 Sep 2021 20:38:52 +0200
+Subject: netfilter: nf_tables: Fix oversized kvmalloc() calls
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 45928afe94a094bcda9af858b96673d59bc4a0e9 upstream.
+
+The commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls")
+limits the max allocatable memory via kvmalloc() to MAX_INT.
+
+Reported-by: syzbot+cd43695a64bcd21b8596@syzkaller.appspotmail.com
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4336,7 +4336,7 @@ static int nf_tables_newset(struct sk_bu
+ if (ops->privsize != NULL)
+ size = ops->privsize(nla, &desc);
+ alloc_size = sizeof(*set) + size + udlen;
+- if (alloc_size < size)
++ if (alloc_size < size || alloc_size > INT_MAX)
+ return -ENOMEM;
+ set = kvzalloc(alloc_size, GFP_KERNEL);
+ if (!set)
net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch
nios2-setup.c-drop-unused-variable-dram_start.patch
usb-hso-remove-the-bailout-parameter.patch
+hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch
+netfilter-ipset-fix-oversized-kvmalloc-calls.patch
+mm-don-t-allow-oversized-kvmalloc-calls.patch
+hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
+crypto-aesni-xts_crypt-return-if-walk.nbytes-is-0.patch
+net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
+kvm-x86-handle-srcu-initialization-failure-during-page-track-init.patch
+netfilter-conntrack-serialize-hash-resizes-and-cleanups.patch
+netfilter-nf_tables-fix-oversized-kvmalloc-calls.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
