--- /dev/null
+From 9a9e77495958c7382b2438bc19746dd3aaaabb8e Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Mon, 5 Oct 2020 02:25:36 +0530
+Subject: net: team: fix memory leak in __team_options_register
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 9a9e77495958c7382b2438bc19746dd3aaaabb8e upstream.
+
+The variable "i" isn't initialized back correctly after the first loop
+under the label inst_rollback gets executed.
+
+The value of "i" is assigned to be option_count - 1, and the ensuing
+loop (under alloc_rollback) begins by initializing i--.
+Thus, the value of i when the loop begins execution will now become
+i = option_count - 2.
+
+Thus, when kfree(dst_opts[i]) is called in the second loop in this
+order, (i.e., inst_rollback followed by alloc_rollback),
+dst_optsp[option_count - 2] is the first element freed, and
+dst_opts[option_count - 1] does not get freed, and thus, a memory
+leak is caused.
+
+This memory leak can be fixed, by assigning i = option_count (instead of
+option_count - 1).
+
+Fixes: 80f7c6683fe0 ("team: add support for per-port options")
+Reported-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
+Tested-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -285,7 +285,7 @@ inst_rollback:
+ for (i--; i >= 0; i--)
+ __team_option_inst_del_option(team, dst_opts[i]);
+
+- i = option_count - 1;
++ i = option_count;
+ alloc_rollback:
+ for (i--; i >= 0; i--)
+ kfree(dst_opts[i]);
--- /dev/null
+From 89d01748b2354e210b5d4ea47bc25a42a1b42c82 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 25 Sep 2020 06:38:08 -0700
+Subject: team: set dev->needed_headroom in team_setup_by_port()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 89d01748b2354e210b5d4ea47bc25a42a1b42c82 upstream.
+
+Some devices set needed_headroom. If we ignore it, we might
+end up crashing in various skb_push() for example in ipgre_header()
+since some layers assume enough headroom has been reserved.
+
+Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2038,6 +2038,7 @@ static void team_setup_by_port(struct ne
+ dev->header_ops = port_dev->header_ops;
+ dev->type = port_dev->type;
+ dev->hard_header_len = port_dev->hard_header_len;
++ dev->needed_headroom = port_dev->needed_headroom;
+ dev->addr_len = port_dev->addr_len;
+ dev->mtu = port_dev->mtu;
+ memcpy(dev->broadcast, port_dev->broadcast, port_dev->addr_len);
projects / thirdparty / kernel / stable-queue.git / commitdiff
