4.9-stable patches

added patches:
	slcan-fix-memory-leak-in-error-path.patch

diff --git a/queue-4.9/series b/queue-4.9/series
index 66206c5ea47b1deaad794a986e5d1cb8e46a39f5..9adddeb47c79d02a1b227990660c5397aee1b8f4 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -144,3 +144,4 @@ usb-xhci-mtk-fix-isoc-error-when-interval-is-zero.patch
 fuse-use-read_once-on-congestion_threshold-and-max_b.patch
 ib-iser-fix-possible-null-deref-at-iser_inv_desc.patch
 memfd-use-radix_tree_deref_slot_protected-to-avoid-the-warning.patch
+slcan-fix-memory-leak-in-error-path.patch

diff --git a/queue-4.9/slcan-fix-memory-leak-in-error-path.patch b/queue-4.9/slcan-fix-memory-leak-in-error-path.patch
new file mode 100644 (file)
index 0000000..63ec75f
--- /dev/null
+++ b/queue-4.9/slcan-fix-memory-leak-in-error-path.patch
@@ -0,0 +1,53 @@
+From ed50e1600b4483c049ce76e6bd3b665a6a9300ed Mon Sep 17 00:00:00 2001
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 13 Nov 2019 12:08:01 +0200
+Subject: slcan: Fix memory leak in error path
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.
+
+This patch is fixing memory leak reported by Syzkaller:
+
+BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
+  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
+  hex dump (first 32 bytes):
+    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  backtrace:
+    [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
+    [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
+    [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
+    [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
+    [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
+    [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
+    [<000000004de5a617>] tty_ioctl+0x48d/0x1590
+    [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
+    [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
+    [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
+    [<0000000053d0332e>] do_syscall_64+0x16f/0x580
+    [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+    [<000000008ea75434>] 0xffffffffffffffff
+
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/slcan.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -613,6 +613,7 @@ err_free_chan:
+       sl->tty = NULL;
+       tty->disc_data = NULL;
+       clear_bit(SLF_INUSE, &sl->flags);
++      free_netdev(sl->dev);
+ 
+ err_exit:
+       rtnl_unlock();