Description:
References:
 https://source.android.com/security/bulletin/pixel/2022-03-01
 https://syzkaller.appspot.com/bug?id=d7e411c5472dd5da33d8cc921ccadc747743a568
Notes:
 bwh> This is puzzling.  The UAF occurs in net/sched/cls_api.c where
 bwh> all access to the qdisc state seems to be protected by the RTNL
 bwh> already, so it's not clear why switching to RCU protection would
 bwh> help.  The syzkaller-generated reproducer also didn't work for me.
 bwh> So I can't tell whether 4.9 might also be affected.
 carnil> For 4.9.y this has a separate backport, cf.
 carnil> https://lore.kernel.org/netdev/YnE%2FQ3SwZuG9HQNv@quatroqueijos/T/#t
 carnil> which is applied.
Bugs:
upstream: released (4.20-rc1) [e368fdb61d8e7c67ac70791b23345b26d7bbc661, 9d7e82cec35c027756ec97e274f878251f271181, 3a7d0d07a386716b459b00783b11a8211cefcc0f, 86bd446b5cebd783187ea3772ff258210de77d99, 6f99528e9797794b91b43321fbbc93fe772b0803]
5.10-upstream-stable: N/A "Fixed before branching point"
4.19-upstream-stable: released (4.19.221) [ae214e04b95ff64a4b0e9aab6742520bfde6ff0c, da1d324088c40fa0a382224c466175fc5c704106, f602ed9f8574512e7ea1ab65c3db7ba71053bf27, 92833e8b5db6c209e9311ac8c6a44d3bf1856659, cd25f1099284a0cbe916344fc1e6c1ffed6c5306]
4.9-upstream-stable: released (4.9.313) [2b29404f4eea7da878a8a8c5b301d9adf6f56d55]
sid: released (5.2.6-1)
5.10-bullseye-security: N/A "Fixed before branching point"
4.19-buster-security: released (4.19.232-1)
4.9-stretch-security: released (4.9.320-2)