4.14-stable patches

added patches:
	ax88172a-fix-information-leak-on-short-answers.patch
	net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch
	slip-fix-memory-leak-in-slip_open-error-path.patch

diff --git a/queue-4.14/ax88172a-fix-information-leak-on-short-answers.patch b/queue-4.14/ax88172a-fix-information-leak-on-short-answers.patch
new file mode 100644 (file)
index 0000000..3f04527
--- /dev/null
+++ b/queue-4.14/ax88172a-fix-information-leak-on-short-answers.patch
@@ -0,0 +1,32 @@
+From foo@baz Mon 18 Nov 2019 09:17:59 AM CET
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 14 Nov 2019 11:16:01 +0100
+Subject: ax88172a: fix information leak on short answers
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ]
+
+If a malicious device gives a short MAC it can elicit up to
+5 bytes of leaked memory out of the driver. We need to check for
+ETH_ALEN instead.
+
+Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ax88172a.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/ax88172a.c
++++ b/drivers/net/usb/ax88172a.c
+@@ -208,7 +208,7 @@ static int ax88172a_bind(struct usbnet *
+ 
+       /* Get the MAC address */
+       ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
+-      if (ret < 0) {
++      if (ret < ETH_ALEN) {
+               netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
+               goto free;
+       }

diff --git a/queue-4.14/net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch b/queue-4.14/net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch
new file mode 100644 (file)
index 0000000..ca276b1
--- /dev/null
+++ b/queue-4.14/net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch
@@ -0,0 +1,45 @@
+From foo@baz Mon 18 Nov 2019 09:17:59 AM CET
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Wed, 13 Nov 2019 11:11:10 +0100
+Subject: net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+[ Upstream commit 802753cb0b141cf5170ab97fe7e79f5ca10d06b0 ]
+
+These are the Foxconn-branded variants of the Dell DW5821e modules,
+same USB layout as those.
+
+The QMI interface is exposed in USB configuration #1:
+
+P:  Vendor=0489 ProdID=e0b4 Rev=03.18
+S:  Manufacturer=FII
+S:  Product=T77W968 LTE
+S:  SerialNumber=0123456789ABCDEF
+C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
+I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1295,6 +1295,8 @@ static const struct usb_device_id produc
+       {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
+       {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)},    /* Quectel BG96 */
+       {QMI_QUIRK_SET_DTR(0x2cb7, 0x0104, 4)}, /* Fibocom NL678 series */
++      {QMI_FIXED_INTF(0x0489, 0xe0b4, 0)},    /* Foxconn T77W968 LTE */
++      {QMI_FIXED_INTF(0x0489, 0xe0b5, 0)},    /* Foxconn T77W968 LTE with eSIM support*/
+ 
+       /* 4. Gobi 1000 devices */
+       {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)},    /* Acer Gobi Modem Device */

diff --git a/queue-4.14/series b/queue-4.14/series
index 0e13f8051b4644bc557a0b334a7f657404871d8d..a54ded01d3416c212faca107e58bf5091613bac9 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -5,3 +5,6 @@ scsi-core-handle-drivers-which-set-sg_tablesize-to-zero.patch
 revert-input-synaptics-rmi4-avoid-processing-unknown-irqs.patch
 powerpc-perf-fix-imc_max_pmu-macro.patch
 powerpc-perf-fix-kfree-memory-allocated-for-nest-pmus.patch
+ax88172a-fix-information-leak-on-short-answers.patch
+net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch
+slip-fix-memory-leak-in-slip_open-error-path.patch

diff --git a/queue-4.14/slip-fix-memory-leak-in-slip_open-error-path.patch b/queue-4.14/slip-fix-memory-leak-in-slip_open-error-path.patch
new file mode 100644 (file)
index 0000000..cf5fd7a
--- /dev/null
+++ b/queue-4.14/slip-fix-memory-leak-in-slip_open-error-path.patch
@@ -0,0 +1,55 @@
+From foo@baz Mon 18 Nov 2019 09:17:59 AM CET
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 13 Nov 2019 13:45:02 +0200
+Subject: slip: Fix memory leak in slip_open error path
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+[ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ]
+
+Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
+by Syzkaller in slcan. Same issue exists in slip.c and this patch is
+addressing the leak in slip.c.
+
+Here is the slcan memory leak trace reported by Syzkaller:
+
+BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
+  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
+  hex dump (first 32 bytes):
+    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  backtrace:
+    [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
+    [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
+    [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
+    [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
+    [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
+    [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
+    [<000000004de5a617>] tty_ioctl+0x48d/0x1590
+    [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
+    [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
+    [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
+    [<0000000053d0332e>] do_syscall_64+0x16f/0x580
+    [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+    [<000000008ea75434>] 0xfffffffffffffff
+
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slip.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -859,6 +859,7 @@ err_free_chan:
+       sl->tty = NULL;
+       tty->disc_data = NULL;
+       clear_bit(SLF_INUSE, &sl->flags);
++      free_netdev(sl->dev);
+ 
+ err_exit:
+       rtnl_unlock();