all patches now merged

12 files changed, 0 insertions, 659 deletions

diff --git a/hso-fix-null-deref-on-tty-open.patch b/hso-fix-null-deref-on-tty-open.patch
deleted file mode 100644
index 2a23c67..0000000
--- a/hso-fix-null-deref-on-tty-open.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 30 Sep 2019 17:12:41 +0200
-Subject: hso: fix NULL-deref on tty open
-
-From: Johan Hovold <johan@kernel.org>
-
-[ Upstream commit 8353da9fa69722b54cba82b2ec740afd3d438748 ]
-
-Fix NULL-pointer dereference on tty open due to a failure to handle a
-missing interrupt-in endpoint when probing modem ports:
-
-	BUG: kernel NULL pointer dereference, address: 0000000000000006
-	...
-	RIP: 0010:tiocmget_submit_urb+0x1c/0xe0 [hso]
-	...
-	Call Trace:
-	hso_start_serial_device+0xdc/0x140 [hso]
-	hso_serial_open+0x118/0x1b0 [hso]
-	tty_open+0xf1/0x490
-
-Fixes: 542f54823614 ("tty: Modem functions for the HSO driver")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/usb/hso.c |   12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
---- a/drivers/net/usb/hso.c
-+++ b/drivers/net/usb/hso.c
-@@ -2639,14 +2639,18 @@ static struct hso_device *hso_create_bul
- 		 */
- 		if (serial->tiocmget) {
- 			tiocmget = serial->tiocmget;
-+			tiocmget->endp = hso_get_ep(interface,
-+						    USB_ENDPOINT_XFER_INT,
-+						    USB_DIR_IN);
-+			if (!tiocmget->endp) {
-+				dev_err(&interface->dev, "Failed to find INT IN ep\n");
-+				goto exit;
-+			}
-+
- 			tiocmget->urb = usb_alloc_urb(0, GFP_KERNEL);
- 			if (tiocmget->urb) {
- 				mutex_init(&tiocmget->mutex);
- 				init_waitqueue_head(&tiocmget->waitq);
--				tiocmget->endp = hso_get_ep(
--					interface,
--					USB_ENDPOINT_XFER_INT,
--					USB_DIR_IN);
- 			} else
- 				hso_free_tiomget(serial);
- 		}
diff --git a/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch b/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch
deleted file mode 100644
index 63ac554..0000000
--- a/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 2 Oct 2019 09:38:55 -0700
-Subject: ipv6: drop incoming packets having a v4mapped source address
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3 ]
-
-This began with a syzbot report. syzkaller was injecting
-IPv6 TCP SYN packets having a v4mapped source address.
-
-After an unsuccessful 4-tuple lookup, TCP creates a request
-socket (SYN_RECV) and calls reqsk_queue_hash_req()
-
-reqsk_queue_hash_req() calls sk_ehashfn(sk)
-
-At this point we have AF_INET6 sockets, and the heuristic
-used by sk_ehashfn() to either hash the IPv4 or IPv6 addresses
-is to use ipv6_addr_v4mapped(&sk->sk_v6_daddr)
-
-For the particular spoofed packet, we end up hashing V4 addresses
-which were not initialized by the TCP IPv6 stack, so KMSAN fired
-a warning.
-
-I first fixed sk_ehashfn() to test both source and destination addresses,
-but then faced various problems, including user-space programs
-like packetdrill that had similar assumptions.
-
-Instead of trying to fix the whole ecosystem, it is better
-to admit that we have a dual stack behavior, and that we
-can not build linux kernels without V4 stack anyway.
-
-The dual stack API automatically forces the traffic to be IPv4
-if v4mapped addresses are used at bind() or connect(), so it makes
-no sense to allow IPv6 traffic to use the same v4mapped class.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Florian Westphal <fw@strlen.de>
-Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv6/ip6_input.c |   10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/net/ipv6/ip6_input.c
-+++ b/net/ipv6/ip6_input.c
-@@ -151,6 +151,16 @@ int ipv6_rcv(struct sk_buff *skb, struct
- 	if (ipv6_addr_is_multicast(&hdr->saddr))
- 		goto err;
- 
-+	/* While RFC4291 is not explicit about v4mapped addresses
-+	 * in IPv6 headers, it seems clear linux dual-stack
-+	 * model can not deal properly with these.
-+	 * Security models could be fooled by ::ffff:127.0.0.1 for example.
-+	 *
-+	 * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
-+	 */
-+	if (ipv6_addr_v4mapped(&hdr->saddr))
-+		goto err;
-+
- 	skb->transport_header = skb->network_header + sizeof(*hdr);
- 	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
- 
diff --git a/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch b/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch
deleted file mode 100644
index d8476b7..0000000
--- a/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST
-From: Paolo Abeni <pabeni@redhat.com>
-Date: Fri, 4 Oct 2019 15:11:17 +0200
-Subject: net: ipv4: avoid mixed n_redirects and rate_tokens usage
-
-From: Paolo Abeni <pabeni@redhat.com>
-
-[ Upstream commit b406472b5ad79ede8d10077f0c8f05505ace8b6d ]
-
-Since commit c09551c6ff7f ("net: ipv4: use a dedicated counter
-for icmp_v4 redirect packets") we use 'n_redirects' to account
-for redirect packets, but we still use 'rate_tokens' to compute
-the redirect packets exponential backoff.
-
-If the device sent to the relevant peer any ICMP error packet
-after sending a redirect, it will also update 'rate_token' according
-to the leaking bucket schema; typically 'rate_token' will raise
-above BITS_PER_LONG and the redirect packets backoff algorithm
-will produce undefined behavior.
-
-Fix the issue using 'n_redirects' to compute the exponential backoff
-in ip_rt_send_redirect().
-
-Note that we still clear rate_tokens after a redirect silence period,
-to avoid changing an established behaviour.
-
-The root cause predates git history; before the mentioned commit in
-the critical scenario, the kernel stopped sending redirects, after
-the mentioned commit the behavior more randomic.
-
-Reported-by: Xiumei Mu <xmu@redhat.com>
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Fixes: c09551c6ff7f ("net: ipv4: use a dedicated counter for icmp_v4 redirect packets")
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/route.c |    5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
---- a/net/ipv4/route.c
-+++ b/net/ipv4/route.c
-@@ -889,16 +889,15 @@ void ip_rt_send_redirect(struct sk_buff
- 	if (peer->rate_tokens == 0 ||
- 	    time_after(jiffies,
- 		       (peer->rate_last +
--			(ip_rt_redirect_load << peer->rate_tokens)))) {
-+			(ip_rt_redirect_load << peer->n_redirects)))) {
- 		__be32 gw = rt_nexthop(rt, ip_hdr(skb)->daddr);
- 
- 		icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw);
- 		peer->rate_last = jiffies;
--		++peer->rate_tokens;
- 		++peer->n_redirects;
- #ifdef CONFIG_IP_ROUTE_VERBOSE
- 		if (log_martians &&
--		    peer->rate_tokens == ip_rt_redirect_number)
-+		    peer->n_redirects == ip_rt_redirect_number)
- 			net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n",
- 					     &ip_hdr(skb)->saddr, inet_iif(skb),
- 					     &ip_hdr(skb)->daddr, &gw);
diff --git a/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch b/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch
deleted file mode 100644
index a5b0311..0000000
--- a/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST
-From: Navid Emamdoost <navid.emamdoost@gmail.com>
-Date: Fri, 4 Oct 2019 15:24:39 -0500
-Subject: net: qlogic: Fix memory leak in ql_alloc_large_buffers
-
-From: Navid Emamdoost <navid.emamdoost@gmail.com>
-
-[ Upstream commit 1acb8f2a7a9f10543868ddd737e37424d5c36cf4 ]
-
-In ql_alloc_large_buffers, a new skb is allocated via netdev_alloc_skb.
-This skb should be released if pci_dma_mapping_error fails.
-
-Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() in ql_release_to_lrg_buf_free_list(), ql_populate_free_queue(), ql_alloc_large_buffers(), and ql3xxx_send()")
-Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/qlogic/qla3xxx.c |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/net/ethernet/qlogic/qla3xxx.c
-+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
-@@ -2787,6 +2787,7 @@ static int ql_alloc_large_buffers(struct
- 				netdev_err(qdev->ndev,
- 					   "PCI mapping failed with error: %d\n",
- 					   err);
-+				dev_kfree_skb_irq(skb);
- 				ql_free_large_buffers(qdev);
- 				return -ENOMEM;
- 			}
diff --git a/net-rds-fix-error-handling-in-rds_ib_add_one.patch b/net-rds-fix-error-handling-in-rds_ib_add_one.patch
deleted file mode 100644
index 53a416c..0000000
--- a/net-rds-fix-error-handling-in-rds_ib_add_one.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST
-From: Dotan Barak <dotanb@dev.mellanox.co.il>
-Date: Tue, 1 Oct 2019 10:21:02 -0700
-Subject: net/rds: Fix error handling in rds_ib_add_one()
-
-From: Dotan Barak <dotanb@dev.mellanox.co.il>
-
-[ Upstream commit d64bf89a75b65f83f06be9fb8f978e60d53752db ]
-
-rds_ibdev:ipaddr_list and rds_ibdev:conn_list are initialized
-after allocation some resources such as protection domain.
-If allocation of such resources fail, then these uninitialized
-variables are accessed in rds_ib_dev_free() in failure path. This
-can potentially crash the system. The code has been updated to
-initialize these variables very early in the function.
-
-Signed-off-by: Dotan Barak <dotanb@dev.mellanox.co.il>
-Signed-off-by: Sudhakar Dindukurti <sudhakar.dindukurti@oracle.com>
-Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/rds/ib.c |    6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/net/rds/ib.c
-+++ b/net/rds/ib.c
-@@ -146,6 +146,9 @@ static void rds_ib_add_one(struct ib_dev
- 	atomic_set(&rds_ibdev->refcount, 1);
- 	INIT_WORK(&rds_ibdev->free_work, rds_ib_dev_free);
- 
-+	INIT_LIST_HEAD(&rds_ibdev->ipaddr_list);
-+	INIT_LIST_HEAD(&rds_ibdev->conn_list);
-+
- 	rds_ibdev->max_wrs = dev_attr->max_qp_wr;
- 	rds_ibdev->max_sge = min(dev_attr->max_sge, RDS_IB_MAX_SGE);
- 
-@@ -176,9 +179,6 @@ static void rds_ib_add_one(struct ib_dev
- 		goto put_dev;
- 	}
- 
--	INIT_LIST_HEAD(&rds_ibdev->ipaddr_list);
--	INIT_LIST_HEAD(&rds_ibdev->conn_list);
--
- 	down_write(&rds_ib_devices_lock);
- 	list_add_tail_rcu(&rds_ibdev->list, &rds_ib_devices);
- 	up_write(&rds_ib_devices_lock);
diff --git a/nfc-fix-attrs-checks-in-netlink-interface.patch b/nfc-fix-attrs-checks-in-netlink-interface.patch
deleted file mode 100644
index 920a4da..0000000
--- a/nfc-fix-attrs-checks-in-netlink-interface.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 18917d51472fe3b126a3a8f756c6b18085eb8130 Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Mon, 29 Jul 2019 16:35:01 +0300
-Subject: NFC: fix attrs checks in netlink interface
-
-From: Andrey Konovalov <andreyknvl@google.com>
-
-commit 18917d51472fe3b126a3a8f756c6b18085eb8130 upstream.
-
-nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX
-attribute being present, but doesn't check whether it is actually
-provided by the user. Same goes for nfc_genl_fw_download() and
-NFC_ATTR_FIRMWARE_NAME.
-
-This patch adds appropriate checks.
-
-Found with syzkaller.
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- net/nfc/netlink.c |    6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/net/nfc/netlink.c
-+++ b/net/nfc/netlink.c
-@@ -852,7 +852,8 @@ static int nfc_genl_dep_link_down(struct
- 	int rc;
- 	u32 idx;
- 
--	if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
-+	if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
-+	    !info->attrs[NFC_ATTR_TARGET_INDEX])
- 		return -EINVAL;
- 
- 	idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
-@@ -1106,7 +1107,8 @@ static int nfc_genl_fw_download(struct s
- 	u32 idx;
- 	char firmware_name[NFC_FIRMWARE_NAME_MAXSIZE + 1];
- 
--	if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
-+	if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
-+	    !info->attrs[NFC_ATTR_FIRMWARE_NAME])
- 		return -EINVAL;
- 
- 	idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
diff --git a/nfc-fix-memory-leak-in-llcp_sock_bind.patch b/nfc-fix-memory-leak-in-llcp_sock_bind.patch
deleted file mode 100644
index 0ed1b68..0000000
--- a/nfc-fix-memory-leak-in-llcp_sock_bind.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 4 Oct 2019 11:08:34 -0700
-Subject: nfc: fix memory leak in llcp_sock_bind()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d ]
-
-sysbot reported a memory leak after a bind() has failed.
-
-While we are at it, abort the operation if kmemdup() has failed.
-
-BUG: memory leak
-unreferenced object 0xffff888105d83ec0 (size 32):
-  comm "syz-executor067", pid 7207, jiffies 4294956228 (age 19.430s)
-  hex dump (first 32 bytes):
-    00 69 6c 65 20 72 65 61 64 00 6e 65 74 3a 5b 34  .ile read.net:[4
-    30 32 36 35 33 33 30 39 37 5d 00 00 00 00 00 00  026533097]......
-  backtrace:
-    [<0000000036bac473>] kmemleak_alloc_recursive /./include/linux/kmemleak.h:43 [inline]
-    [<0000000036bac473>] slab_post_alloc_hook /mm/slab.h:522 [inline]
-    [<0000000036bac473>] slab_alloc /mm/slab.c:3319 [inline]
-    [<0000000036bac473>] __do_kmalloc /mm/slab.c:3653 [inline]
-    [<0000000036bac473>] __kmalloc_track_caller+0x169/0x2d0 /mm/slab.c:3670
-    [<000000000cd39d07>] kmemdup+0x27/0x60 /mm/util.c:120
-    [<000000008e57e5fc>] kmemdup /./include/linux/string.h:432 [inline]
-    [<000000008e57e5fc>] llcp_sock_bind+0x1b3/0x230 /net/nfc/llcp_sock.c:107
-    [<000000009cb0b5d3>] __sys_bind+0x11c/0x140 /net/socket.c:1647
-    [<00000000492c3bbc>] __do_sys_bind /net/socket.c:1658 [inline]
-    [<00000000492c3bbc>] __se_sys_bind /net/socket.c:1656 [inline]
-    [<00000000492c3bbc>] __x64_sys_bind+0x1e/0x30 /net/socket.c:1656
-    [<0000000008704b2a>] do_syscall_64+0x76/0x1a0 /arch/x86/entry/common.c:296
-    [<000000009f4c57a4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
-
-Fixes: 30cc4587659e ("NFC: Move LLCP code to the NFC top level diirectory")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/nfc/llcp_sock.c |    7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/net/nfc/llcp_sock.c
-+++ b/net/nfc/llcp_sock.c
-@@ -118,9 +118,14 @@ static int llcp_sock_bind(struct socket
- 	llcp_sock->service_name = kmemdup(llcp_addr.service_name,
- 					  llcp_sock->service_name_len,
- 					  GFP_KERNEL);
--
-+	if (!llcp_sock->service_name) {
-+		ret = -ENOMEM;
-+		goto put_dev;
-+	}
- 	llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
- 	if (llcp_sock->ssap == LLCP_SAP_MAX) {
-+		kfree(llcp_sock->service_name);
-+		llcp_sock->service_name = NULL;
- 		ret = -EADDRINUSE;
- 		goto put_dev;
- 	}
diff --git a/ovl-filter-of-trusted-xattr-results-in-audit.patch b/ovl-filter-of-trusted-xattr-results-in-audit.patch
deleted file mode 100644
index 27af2ba..0000000
--- a/ovl-filter-of-trusted-xattr-results-in-audit.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 5c2e9f346b815841f9bed6029ebcb06415caf640 Mon Sep 17 00:00:00 2001
-From: Mark Salyzyn <salyzyn@android.com>
-Date: Thu, 29 Aug 2019 11:30:14 -0700
-Subject: ovl: filter of trusted xattr results in audit
-
-From: Mark Salyzyn <salyzyn@android.com>
-
-commit 5c2e9f346b815841f9bed6029ebcb06415caf640 upstream.
-
-When filtering xattr list for reading, presence of trusted xattr
-results in a security audit log.  However, if there is other content
-no errno will be set, and if there isn't, the errno will be -ENODATA
-and not -EPERM as is usually associated with a lack of capability.
-The check does not block the request to list the xattrs present.
-
-Switch to ns_capable_noaudit to reflect a more appropriate check.
-
-Signed-off-by: Mark Salyzyn <salyzyn@android.com>
-Cc: linux-security-module@vger.kernel.org
-Cc: kernel-team@android.com
-Cc: stable@vger.kernel.org # v3.18+
-Fixes: a082c6f680da ("ovl: filter trusted xattr for non-admin")
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-[added export to get this to build - gregkh]
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/overlayfs/inode.c |    3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/fs/overlayfs/inode.c
-+++ b/fs/overlayfs/inode.c
-@@ -265,7 +265,8 @@ static bool ovl_can_list(const char *s)
- 		return true;
- 
- 	/* Never list trusted.overlay, list other trusted for superuser only */
--	return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN);
-+	return !ovl_is_private_xattr(s) &&
-+	       has_capability_noaudit(current, CAP_SYS_ADMIN);
- }
- 
- ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
diff --git a/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch b/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch
deleted file mode 100644
index 3f40283..0000000
--- a/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From foo@baz Sun 06 Oct 2019 10:01:35 AM CEST
-From: Eric Dumazet <edumazet@google.com>
-Date: Thu, 26 Sep 2019 18:24:43 -0700
-Subject: sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit e9789c7cc182484fc031fd88097eb14cb26c4596 ]
-
-syzbot reported a crash in cbq_normalize_quanta() caused
-by an out of range cl->priority.
-
-iproute2 enforces this check, but malicious users do not.
-
-kasan: CONFIG_KASAN_INLINE enabled
-kasan: GPF could be caused by NULL-ptr deref or user memory access
-general protection fault: 0000 [#1] SMP KASAN PTI
-Modules linked in:
-CPU: 1 PID: 26447 Comm: syz-executor.1 Not tainted 5.3+ #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-RIP: 0010:cbq_normalize_quanta.part.0+0x1fd/0x430 net/sched/sch_cbq.c:902
-RSP: 0018:ffff8801a5c333b0 EFLAGS: 00010206
-RAX: 0000000020000003 RBX: 00000000fffffff8 RCX: ffffc9000712f000
-RDX: 00000000000043bf RSI: ffffffff83be8962 RDI: 0000000100000018
-RBP: ffff8801a5c33420 R08: 000000000000003a R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000002ef
-R13: ffff88018da95188 R14: dffffc0000000000 R15: 0000000000000015
-FS:  00007f37d26b1700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
-CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 00000000004c7cec CR3: 00000001bcd0a006 CR4: 00000000001626f0
-DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
-Call Trace:
- [<ffffffff83be9d57>] cbq_normalize_quanta include/net/pkt_sched.h:27 [inline]
- [<ffffffff83be9d57>] cbq_addprio net/sched/sch_cbq.c:1097 [inline]
- [<ffffffff83be9d57>] cbq_set_wrr+0x2d7/0x450 net/sched/sch_cbq.c:1115
- [<ffffffff83bee8a7>] cbq_change_class+0x987/0x225b net/sched/sch_cbq.c:1537
- [<ffffffff83b96985>] tc_ctl_tclass+0x555/0xcd0 net/sched/sch_api.c:2329
- [<ffffffff83a84655>] rtnetlink_rcv_msg+0x485/0xc10 net/core/rtnetlink.c:5248
- [<ffffffff83cadf0a>] netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2510
- [<ffffffff83a7db6d>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5266
- [<ffffffff83cac2c6>] netlink_unicast_kernel net/netlink/af_netlink.c:1324 [inline]
- [<ffffffff83cac2c6>] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1350
- [<ffffffff83cacd4a>] netlink_sendmsg+0x89a/0xd50 net/netlink/af_netlink.c:1939
- [<ffffffff8399d46e>] sock_sendmsg_nosec net/socket.c:673 [inline]
- [<ffffffff8399d46e>] sock_sendmsg+0x12e/0x170 net/socket.c:684
- [<ffffffff8399f1fd>] ___sys_sendmsg+0x81d/0x960 net/socket.c:2359
- [<ffffffff839a2d05>] __sys_sendmsg+0x105/0x1d0 net/socket.c:2397
- [<ffffffff839a2df9>] SYSC_sendmsg net/socket.c:2406 [inline]
- [<ffffffff839a2df9>] SyS_sendmsg+0x29/0x30 net/socket.c:2404
- [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
- [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sched/sch_cbq.c |   27 ++++++++++++++++++++++-----
- 1 file changed, 22 insertions(+), 5 deletions(-)
-
---- a/net/sched/sch_cbq.c
-+++ b/net/sched/sch_cbq.c
-@@ -1340,6 +1340,26 @@ static const struct nla_policy cbq_polic
- 	[TCA_CBQ_POLICE]	= { .len = sizeof(struct tc_cbq_police) },
- };
- 
-+static int cbq_opt_parse(struct nlattr *tb[TCA_CBQ_MAX + 1], struct nlattr *opt)
-+{
-+	int err;
-+
-+	if (!opt)
-+		return -EINVAL;
-+
-+	err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy);
-+	if (err < 0)
-+		return err;
-+
-+	if (tb[TCA_CBQ_WRROPT]) {
-+		const struct tc_cbq_wrropt *wrr = nla_data(tb[TCA_CBQ_WRROPT]);
-+
-+		if (wrr->priority > TC_CBQ_MAXPRIO)
-+			err = -EINVAL;
-+	}
-+	return err;
-+}
-+
- static int cbq_init(struct Qdisc *sch, struct nlattr *opt)
- {
- 	struct cbq_sched_data *q = qdisc_priv(sch);
-@@ -1347,7 +1367,7 @@ static int cbq_init(struct Qdisc *sch, s
- 	struct tc_ratespec *r;
- 	int err;
- 
--	err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy);
-+	err = cbq_opt_parse(tb, opt);
- 	if (err < 0)
- 		return err;
- 
-@@ -1728,10 +1748,7 @@ cbq_change_class(struct Qdisc *sch, u32
- 	struct cbq_class *parent;
- 	struct qdisc_rate_table *rtab = NULL;
- 
--	if (opt == NULL)
--		return -EINVAL;
--
--	err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy);
-+	err = cbq_opt_parse(tb, opt);
- 	if (err < 0)
- 		return err;
- 
diff --git a/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch b/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch
deleted file mode 100644
index 174a8ee..0000000
--- a/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 4 Oct 2019 10:34:45 -0700
-Subject: sch_dsmark: fix potential NULL deref in dsmark_init()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 474f0813a3002cb299bb73a5a93aa1f537a80ca8 ]
-
-Make sure TCA_DSMARK_INDICES was provided by the user.
-
-syzbot reported :
-
-kasan: CONFIG_KASAN_INLINE enabled
-kasan: GPF could be caused by NULL-ptr deref or user memory access
-general protection fault: 0000 [#1] PREEMPT SMP KASAN
-CPU: 1 PID: 8799 Comm: syz-executor235 Not tainted 5.3.0+ #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-RIP: 0010:nla_get_u16 include/net/netlink.h:1501 [inline]
-RIP: 0010:dsmark_init net/sched/sch_dsmark.c:364 [inline]
-RIP: 0010:dsmark_init+0x193/0x640 net/sched/sch_dsmark.c:339
-Code: 85 db 58 0f 88 7d 03 00 00 e8 e9 1a ac fb 48 8b 9d 70 ff ff ff 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ca
-RSP: 0018:ffff88809426f3b8 EFLAGS: 00010247
-RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff85c6eb09
-RDX: 0000000000000000 RSI: ffffffff85c6eb17 RDI: 0000000000000004
-RBP: ffff88809426f4b0 R08: ffff88808c4085c0 R09: ffffed1015d26159
-R10: ffffed1015d26158 R11: ffff8880ae930ac7 R12: ffff8880a7e96940
-R13: dffffc0000000000 R14: ffff88809426f8c0 R15: 0000000000000000
-FS:  0000000001292880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
-CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 0000000020000080 CR3: 000000008ca1b000 CR4: 00000000001406e0
-DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
-Call Trace:
- qdisc_create+0x4ee/0x1210 net/sched/sch_api.c:1237
- tc_modify_qdisc+0x524/0x1c50 net/sched/sch_api.c:1653
- rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5223
- netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
- rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5241
- netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
- netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328
- netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917
- sock_sendmsg_nosec net/socket.c:637 [inline]
- sock_sendmsg+0xd7/0x130 net/socket.c:657
- ___sys_sendmsg+0x803/0x920 net/socket.c:2311
- __sys_sendmsg+0x105/0x1d0 net/socket.c:2356
- __do_sys_sendmsg net/socket.c:2365 [inline]
- __se_sys_sendmsg net/socket.c:2363 [inline]
- __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363
- do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-RIP: 0033:0x440369
-
-Fixes: 758cc43c6d73 ("[PKT_SCHED]: Fix dsmark to apply changes consistent")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sched/sch_dsmark.c |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/sched/sch_dsmark.c
-+++ b/net/sched/sch_dsmark.c
-@@ -354,6 +354,8 @@ static int dsmark_init(struct Qdisc *sch
- 		goto errout;
- 
- 	err = -EINVAL;
-+	if (!tb[TCA_DSMARK_INDICES])
-+		goto errout;
- 	indices = nla_get_u16(tb[TCA_DSMARK_INDICES]);
- 
- 	if (hweight32(indices) != 1)
diff --git a/series b/series
index b274e0a..e69de29 100644
--- a/series
+++ b/series
@@ -1,11 +0,0 @@
-hso-fix-null-deref-on-tty-open.patch
-ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch
-net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch
-net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch
-nfc-fix-memory-leak-in-llcp_sock_bind.patch
-sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch
-net-rds-fix-error-handling-in-rds_ib_add_one.patch
-sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch
-smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
-nfc-fix-attrs-checks-in-netlink-interface.patch
-ovl-filter-of-trusted-xattr-results-in-audit.patch
diff --git a/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch b/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
deleted file mode 100644
index 675bf38..0000000
--- a/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 3675f052b43ba51b99b85b073c7070e083f3e6fb Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Thu, 4 Jul 2019 20:44:44 +0200
-Subject: Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
-
-From: Jann Horn <jannh@google.com>
-
-commit 3675f052b43ba51b99b85b073c7070e083f3e6fb upstream.
-
-There is a logic bug in the current smack_bprm_set_creds():
-If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be
-acceptable (e.g. because the ptracer detached in the meantime), the other
-->unsafe flags aren't checked. As far as I can tell, this means that
-something like the following could work (but I haven't tested it):
-
- - task A: create task B with fork()
- - task B: set NO_NEW_PRIVS
- - task B: install a seccomp filter that makes open() return 0 under some
-   conditions
- - task B: replace fd 0 with a malicious library
- - task A: attach to task B with PTRACE_ATTACH
- - task B: execve() a file with an SMACK64EXEC extended attribute
- - task A: while task B is still in the middle of execve(), exit (which
-   destroys the ptrace relationship)
-
-Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in
-bprm->unsafe, we reject the execve().
-
-Cc: stable@vger.kernel.org
-Fixes: 5663884caab1 ("Smack: unify all ptrace accesses in the smack")
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- security/smack/smack_lsm.c |    3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -699,7 +699,8 @@ static int smack_bprm_set_creds(struct l
- 
- 		if (rc != 0)
- 			return rc;
--	} else if (bprm->unsafe)
-+	}
-+	if (bprm->unsafe & ~LSM_UNSAFE_PTRACE)
- 		return -EPERM;
- 
- 	bsp->smk_task = isp->smk_task;