--- /dev/null
+From foo@baz Mon 27 Jan 2020 04:14:17 PM CET
+From: Richard Palethorpe <rpalethorpe@suse.com>
+Date: Tue, 21 Jan 2020 14:42:58 +0100
+Subject: can, slip: Protect tty->disc_data in write_wakeup and close with RCU
+
+From: Richard Palethorpe <rpalethorpe@suse.com>
+
+[ Upstream commit 0ace17d56824165c7f4c68785d6b58971db954dd ]
+
+write_wakeup can happen in parallel with close/hangup where tty->disc_data
+is set to NULL and the netdevice is freed thus also freeing
+disc_data. write_wakeup accesses disc_data so we must prevent close from
+freeing the netdev while write_wakeup has a non-NULL view of
+tty->disc_data.
+
+We also need to make sure that accesses to disc_data are atomic. Which can
+all be done with RCU.
+
+This problem was found by Syzkaller on SLCAN, but the same issue is
+reproducible with the SLIP line discipline using an LTP test based on the
+Syzkaller reproducer.
+
+A fix which didn't use RCU was posted by Hillf Danton.
+
+Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup")
+Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip")
+Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
+Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Tyler Hall <tylerwhall@gmail.com>
+Cc: linux-can@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: syzkaller@googlegroups.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/slcan.c | 12 ++++++++++--
+ drivers/net/slip/slip.c | 12 ++++++++++--
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -344,9 +344,16 @@ static void slcan_transmit(struct work_s
+ */
+ static void slcan_write_wakeup(struct tty_struct *tty)
+ {
+- struct slcan *sl = tty->disc_data;
++ struct slcan *sl;
++
++ rcu_read_lock();
++ sl = rcu_dereference(tty->disc_data);
++ if (!sl)
++ goto out;
+
+ schedule_work(&sl->tx_work);
++out:
++ rcu_read_unlock();
+ }
+
+ /* Send a can_frame to a TTY queue. */
+@@ -640,10 +647,11 @@ static void slcan_close(struct tty_struc
+ return;
+
+ spin_lock_bh(&sl->lock);
+- tty->disc_data = NULL;
++ rcu_assign_pointer(tty->disc_data, NULL);
+ sl->tty = NULL;
+ spin_unlock_bh(&sl->lock);
+
++ synchronize_rcu();
+ flush_work(&sl->tx_work);
+
+ /* Flush network side */
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -452,9 +452,16 @@ static void slip_transmit(struct work_st
+ */
+ static void slip_write_wakeup(struct tty_struct *tty)
+ {
+- struct slip *sl = tty->disc_data;
++ struct slip *sl;
++
++ rcu_read_lock();
++ sl = rcu_dereference(tty->disc_data);
++ if (!sl)
++ goto out;
+
+ schedule_work(&sl->tx_work);
++out:
++ rcu_read_unlock();
+ }
+
+ static void sl_tx_timeout(struct net_device *dev)
+@@ -887,10 +894,11 @@ static void slip_close(struct tty_struct
+ return;
+
+ spin_lock_bh(&sl->lock);
+- tty->disc_data = NULL;
++ rcu_assign_pointer(tty->disc_data, NULL);
+ sl->tty = NULL;
+ spin_unlock_bh(&sl->lock);
+
++ synchronize_rcu();
+ flush_work(&sl->tx_work);
+
+ /* VSV = very important to remove timers */
--- /dev/null
+From foo@baz Mon 27 Jan 2020 04:14:17 PM CET
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Sat, 25 Jan 2020 14:33:29 +0000
+Subject: firestream: fix memory leaks
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit fa865ba183d61c1ec8cbcab8573159c3b72b89a4 ]
+
+In fs_open(), 'vcc' is allocated through kmalloc() and assigned to
+'atm_vcc->dev_data.' In the following execution, if an error occurs, e.g.,
+there is no more free channel, an error code EBUSY or ENOMEM will be
+returned. However, 'vcc' is not deallocated, leading to memory leaks. Note
+that, in normal cases where fs_open() returns 0, 'vcc' will be deallocated
+in fs_close(). But, if fs_open() fails, there is no guarantee that
+fs_close() will be invoked.
+
+To fix this issue, deallocate 'vcc' before the error code is returned.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/firestream.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/atm/firestream.c
++++ b/drivers/atm/firestream.c
+@@ -923,6 +923,7 @@ static int fs_open(struct atm_vcc *atm_v
+ }
+ if (!to) {
+ printk ("No more free channels for FS50..\n");
++ kfree(vcc);
+ return -EBUSY;
+ }
+ vcc->channo = dev->channo;
+@@ -933,6 +934,7 @@ static int fs_open(struct atm_vcc *atm_v
+ if (((DO_DIRECTION(rxtp) && dev->atm_vccs[vcc->channo])) ||
+ ( DO_DIRECTION(txtp) && test_bit (vcc->channo, dev->tx_inuse))) {
+ printk ("Channel is in use for FS155.\n");
++ kfree(vcc);
+ return -EBUSY;
+ }
+ }
+@@ -946,6 +948,7 @@ static int fs_open(struct atm_vcc *atm_v
+ tc, sizeof (struct fs_transmit_config));
+ if (!tc) {
+ fs_dprintk (FS_DEBUG_OPEN, "fs: can't alloc transmit_config.\n");
++ kfree(vcc);
+ return -ENOMEM;
+ }
+
--- /dev/null
+From foo@baz Mon 27 Jan 2020 04:14:17 PM CET
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 24 Jan 2020 20:41:44 +1100
+Subject: net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 3546d8f1bbe992488ed91592cf6bf76e7114791a =
+
+The cxgb3 driver for "Chelsio T3-based gigabit and 10Gb Ethernet
+adapters" implements a custom ioctl as SIOCCHIOCTL/SIOCDEVPRIVATE in
+cxgb_extension_ioctl().
+
+One of the subcommands of the ioctl is CHELSIO_GET_MEM, which appears
+to read memory directly out of the adapter and return it to userspace.
+It's not entirely clear what the contents of the adapter memory
+contains, but the assumption is that it shouldn't be accessible to all
+users.
+
+So add a CAP_NET_ADMIN check to the CHELSIO_GET_MEM case. Put it after
+the is_offload() check, which matches two of the other subcommands in
+the same function which also check for is_offload() and CAP_NET_ADMIN.
+
+Found by Ilja by code inspection, not tested as I don't have the
+required hardware.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -2437,6 +2437,8 @@ static int cxgb_extension_ioctl(struct n
+
+ if (!is_offload(adapter))
+ return -EOPNOTSUPP;
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
+ if (!(adapter->flags & FULL_INIT_DONE))
+ return -EIO; /* need the memory controllers */
+ if (copy_from_user(&t, useraddr, sizeof(t)))
--- /dev/null
+From foo@baz Mon 27 Jan 2020 04:14:17 PM CET
+From: William Dauchy <w.dauchy@criteo.com>
+Date: Tue, 21 Jan 2020 15:26:24 +0100
+Subject: net, ip_tunnel: fix namespaces move
+
+From: William Dauchy <w.dauchy@criteo.com>
+
+[ Upstream commit d0f418516022c32ecceaf4275423e5bd3f8743a9 ]
+
+in the same manner as commit 690afc165bb3 ("net: ip6_gre: fix moving
+ip6gre between namespaces"), fix namespace moving as it was broken since
+commit 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.").
+Indeed, the ip6_gre commit removed the local flag for collect_md
+condition, so there is no reason to keep it for ip_gre/ip_tunnel.
+
+this patch will fix both ip_tunnel and ip_gre modules.
+
+Fixes: 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.")
+Signed-off-by: William Dauchy <w.dauchy@criteo.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -1151,10 +1151,8 @@ int ip_tunnel_init(struct net_device *de
+ iph->version = 4;
+ iph->ihl = 5;
+
+- if (tunnel->collect_md) {
+- dev->features |= NETIF_F_NETNS_LOCAL;
++ if (tunnel->collect_md)
+ netif_keep_dst(dev);
+- }
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(ip_tunnel_init);
--- /dev/null
+From foo@baz Mon 27 Jan 2020 04:14:17 PM CET
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Mon, 20 Jan 2020 09:51:03 +0200
+Subject: net-sysfs: Fix reference count leak
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+[ Upstream commit cb626bf566eb4433318d35681286c494f04fedcc ]
+
+Netdev_register_kobject is calling device_initialize. In case of error
+reference taken by device_initialize is not given up.
+
+Drivers are supposed to call free_netdev in case of error. In non-error
+case the last reference is given up there and device release sequence
+is triggered. In error case this reference is kept and the release
+sequence is never started.
+
+Fix this by setting reg_state as NETREG_UNREGISTERED if registering
+fails.
+
+This is the rootcause for couple of memory leaks reported by Syzkaller:
+
+BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
+ comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
+ [<000000002340019b>] device_add+0x882/0x1750
+ [<000000001d588c3a>] netdev_register_kobject+0x128/0x380
+ [<0000000011ef5535>] register_netdevice+0xa1b/0xf00
+ [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
+ [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
+ [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
+ [<00000000fba062ea>] ksys_ioctl+0x99/0xb0
+ [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
+ [<00000000984cabb9>] do_syscall_64+0x16f/0x580
+ [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [<00000000e6ca2d9f>] 0xffffffffffffffff
+
+BUG: memory leak
+unreferenced object 0xffff8880668ba588 (size 8):
+ comm "kobject_set_nam", pid 286, jiffies 4294725297 (age 9.871s)
+ hex dump (first 8 bytes):
+ 6e 72 30 00 cc be df 2b nr0....+
+ backtrace:
+ [<00000000a322332a>] __kmalloc_track_caller+0x16e/0x290
+ [<00000000236fd26b>] kstrdup+0x3e/0x70
+ [<00000000dd4a2815>] kstrdup_const+0x3e/0x50
+ [<0000000049a377fc>] kvasprintf_const+0x10e/0x160
+ [<00000000627fc711>] kobject_set_name_vargs+0x5b/0x140
+ [<0000000019eeab06>] dev_set_name+0xc0/0xf0
+ [<0000000069cb12bc>] netdev_register_kobject+0xc8/0x320
+ [<00000000f2e83732>] register_netdevice+0xa1b/0xf00
+ [<000000009e1f57cc>] __tun_chr_ioctl+0x20d5/0x3dd0
+ [<000000009c560784>] tun_chr_ioctl+0x2f/0x40
+ [<000000000d759e02>] do_vfs_ioctl+0x1c7/0x1510
+ [<00000000351d7c31>] ksys_ioctl+0x99/0xb0
+ [<000000008390040a>] __x64_sys_ioctl+0x78/0xb0
+ [<0000000052d196b7>] do_syscall_64+0x16f/0x580
+ [<0000000019af9236>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [<00000000bc384531>] 0xffffffffffffffff
+
+v3 -> v4:
+ Set reg_state to NETREG_UNREGISTERED if registering fails
+
+v2 -> v3:
+* Replaced BUG_ON with WARN_ON in free_netdev and netdev_release
+
+v1 -> v2:
+* Relying on driver calling free_netdev rather than calling
+ put_device directly in error path
+
+Reported-by: syzbot+ad8ca40ecd77896d51e2@syzkaller.appspotmail.com
+Cc: David Miller <davem@davemloft.net>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6806,8 +6806,10 @@ int register_netdevice(struct net_device
+ goto err_uninit;
+
+ ret = netdev_register_kobject(dev);
+- if (ret)
++ if (ret) {
++ dev->reg_state = NETREG_UNREGISTERED;
+ goto err_uninit;
++ }
+ dev->reg_state = NETREG_REGISTERED;
+
+ __netdev_update_features(dev);
--- /dev/null
+From foo@baz Mon 27 Jan 2020 04:06:27 PM CET
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Mon, 20 Jan 2020 11:12:40 +0000
+Subject: net: usb: lan78xx: Add .ndo_features_check
+
+From: James Hughes <james.hughes@raspberrypi.org>
+
+[ Upstream commit ce896476c65d72b4b99fa09c2f33436b4198f034 ]
+
+As reported by Eric Dumazet, there are still some outstanding
+cases where the driver does not handle TSO correctly when skb's
+are over a certain size. Most cases have been fixed, this patch
+should ensure that forwarded SKB's that are greater than
+MAX_SINGLE_PACKET_SIZE - TX_OVERHEAD are software segmented
+and handled correctly.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -30,6 +30,7 @@
+ #include <linux/ipv6.h>
+ #include <linux/mdio.h>
+ #include <net/ip6_checksum.h>
++#include <net/vxlan.h>
+ #include <linux/microchipphy.h>
+ #include "lan78xx.h"
+
+@@ -2893,6 +2894,19 @@ void lan78xx_tx_timeout(struct net_devic
+ tasklet_schedule(&dev->bh);
+ }
+
++static netdev_features_t lan78xx_features_check(struct sk_buff *skb,
++ struct net_device *netdev,
++ netdev_features_t features)
++{
++ if (skb->len + TX_OVERHEAD > MAX_SINGLE_PACKET_SIZE)
++ features &= ~NETIF_F_GSO_MASK;
++
++ features = vlan_features_check(skb, features);
++ features = vxlan_features_check(skb, features);
++
++ return features;
++}
++
+ static const struct net_device_ops lan78xx_netdev_ops = {
+ .ndo_open = lan78xx_open,
+ .ndo_stop = lan78xx_stop,
+@@ -2906,6 +2920,7 @@ static const struct net_device_ops lan78
+ .ndo_set_features = lan78xx_set_features,
+ .ndo_vlan_rx_add_vid = lan78xx_vlan_rx_add_vid,
+ .ndo_vlan_rx_kill_vid = lan78xx_vlan_rx_kill_vid,
++ .ndo_features_check = lan78xx_features_check,
+ };
+
+ static int lan78xx_probe(struct usb_interface *intf,
--- /dev/null
+From foo@baz Mon 27 Jan 2020 04:14:17 PM CET
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 22 Jan 2020 15:42:02 -0800
+Subject: net_sched: fix datalen for ematch
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ]
+
+syzbot reported an out-of-bound access in em_nbyte. As initially
+analyzed by Eric, this is because em_nbyte sets its own em->datalen
+in em_nbyte_change() other than the one specified by user, but this
+value gets overwritten later by its caller tcf_em_validate().
+We should leave em->datalen untouched to respect their choices.
+
+I audit all the in-tree ematch users, all of those implement
+->change() set em->datalen, so we can just avoid setting it twice
+in this case.
+
+Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
+Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/ematch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/ematch.c
++++ b/net/sched/ematch.c
+@@ -267,12 +267,12 @@ static int tcf_em_validate(struct tcf_pr
+ }
+ em->data = (unsigned long) v;
+ }
++ em->datalen = data_len;
+ }
+ }
+
+ em->matchid = em_hdr->matchid;
+ em->flags = em_hdr->flags;
+- em->datalen = data_len;
+ em->net = net;
+
+ err = 0;
drm-radeon-fix-bad-dma-from-interrupt_cntl2.patch
arm64-dts-juno-fix-uart-frequency.patch
m68k-call-timer_interrupt-with-interrupts-disabled.patch
+can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch
+firestream-fix-memory-leaks.patch
+net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch
+net-ip_tunnel-fix-namespaces-move.patch
+net_sched-fix-datalen-for-ematch.patch
+net-sysfs-fix-reference-count-leak.patch
+net-usb-lan78xx-add-.ndo_features_check.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
