4.19-stable patches

added patches:
	cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
	net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch

diff --git a/queue-4.19/cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch b/queue-4.19/cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
new file mode 100644 (file)
index 0000000..b6b7034
--- /dev/null
+++ b/queue-4.19/cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
@@ -0,0 +1,36 @@
+From 1b5ab825d9acc0f27d2f25c6252f3526832a9626 Mon Sep 17 00:00:00 2001
+From: Du Cheng <ducheng2@gmail.com>
+Date: Thu, 8 Apr 2021 00:27:56 +0800
+Subject: cfg80211: remove WARN_ON() in cfg80211_sme_connect
+
+From: Du Cheng <ducheng2@gmail.com>
+
+commit 1b5ab825d9acc0f27d2f25c6252f3526832a9626 upstream.
+
+A WARN_ON(wdev->conn) would trigger in cfg80211_sme_connect(), if multiple
+send_msg(NL80211_CMD_CONNECT) system calls are made from the userland, which
+should be anticipated and handled by the wireless driver. Remove this WARN_ON()
+to prevent kernel panic if kernel is configured to "panic_on_warn".
+
+Bug reported by syzbot.
+
+Reported-by: syzbot+5f9392825de654244975@syzkaller.appspotmail.com
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Link: https://lore.kernel.org/r/20210407162756.6101-1-ducheng2@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/sme.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -530,7 +530,7 @@ static int cfg80211_sme_connect(struct w
+               cfg80211_sme_free(wdev);
+       }
+ 
+-      if (WARN_ON(wdev->conn))
++      if (wdev->conn)
+               return -EINPROGRESS;
+ 
+       wdev->conn = kzalloc(sizeof(*wdev->conn), GFP_KERNEL);

diff --git a/queue-4.19/net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch b/queue-4.19/net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
new file mode 100644 (file)
index 0000000..06c57fe
--- /dev/null
+++ b/queue-4.19/net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
@@ -0,0 +1,96 @@
+From cca8ea3b05c972ffb5295367e6c544369b45fbdd Mon Sep 17 00:00:00 2001
+From: Phillip Potter <phil@philpotter.co.uk>
+Date: Tue, 6 Apr 2021 18:45:54 +0100
+Subject: net: tun: set tun->dev->addr_len during TUNSETLINK processing
+
+From: Phillip Potter <phil@philpotter.co.uk>
+
+commit cca8ea3b05c972ffb5295367e6c544369b45fbdd upstream.
+
+When changing type with TUNSETLINK ioctl command, set tun->dev->addr_len
+to match the appropriate type, using new tun_get_addr_len utility function
+which returns appropriate address length for given type. Fixes a
+KMSAN-found uninit-value bug reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=0766d38c656abeace60621896d705743aeefed51
+
+Reported-by: syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com
+Diagnosed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c |   48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -77,6 +77,14 @@
+ #include <linux/bpf.h>
+ #include <linux/bpf_trace.h>
+ #include <linux/mutex.h>
++#include <linux/ieee802154.h>
++#include <linux/if_ltalk.h>
++#include <uapi/linux/if_fddi.h>
++#include <uapi/linux/if_hippi.h>
++#include <uapi/linux/if_fc.h>
++#include <net/ax25.h>
++#include <net/rose.h>
++#include <net/6lowpan.h>
+ 
+ #include <linux/uaccess.h>
+ #include <linux/proc_fs.h>
+@@ -2864,6 +2872,45 @@ static int tun_set_ebpf(struct tun_struc
+       return __tun_set_ebpf(tun, prog_p, prog);
+ }
+ 
++/* Return correct value for tun->dev->addr_len based on tun->dev->type. */
++static unsigned char tun_get_addr_len(unsigned short type)
++{
++      switch (type) {
++      case ARPHRD_IP6GRE:
++      case ARPHRD_TUNNEL6:
++              return sizeof(struct in6_addr);
++      case ARPHRD_IPGRE:
++      case ARPHRD_TUNNEL:
++      case ARPHRD_SIT:
++              return 4;
++      case ARPHRD_ETHER:
++              return ETH_ALEN;
++      case ARPHRD_IEEE802154:
++      case ARPHRD_IEEE802154_MONITOR:
++              return IEEE802154_EXTENDED_ADDR_LEN;
++      case ARPHRD_PHONET_PIPE:
++      case ARPHRD_PPP:
++      case ARPHRD_NONE:
++              return 0;
++      case ARPHRD_6LOWPAN:
++              return EUI64_ADDR_LEN;
++      case ARPHRD_FDDI:
++              return FDDI_K_ALEN;
++      case ARPHRD_HIPPI:
++              return HIPPI_ALEN;
++      case ARPHRD_IEEE802:
++              return FC_ALEN;
++      case ARPHRD_ROSE:
++              return ROSE_ADDR_LEN;
++      case ARPHRD_NETROM:
++              return AX25_ADDR_LEN;
++      case ARPHRD_LOCALTLK:
++              return LTALK_ALEN;
++      default:
++              return 0;
++      }
++}
++
+ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+                           unsigned long arg, int ifreq_len)
+ {
+@@ -3018,6 +3065,7 @@ static long __tun_chr_ioctl(struct file
+                       ret = -EBUSY;
+               } else {
+                       tun->dev->type = (int) arg;
++                      tun->dev->addr_len = tun_get_addr_len(tun->dev->type);
+                       tun_debug(KERN_INFO, tun, "linktype set to %d\n",
+                                 tun->dev->type);
+                       ret = 0;

diff --git a/queue-4.19/series b/queue-4.19/series
index 281d43eb6fa8a16dbb9562c4efe208a82b52f8ce..83843e6789f75a4c686da1b501ca8f850409663c 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -50,3 +50,5 @@ net-mlx5-fix-pbmc-register-mapping.patch
 rdma-cxgb4-check-for-ipv6-address-properly-while-des.patch
 clk-socfpga-fix-iomem-pointer-cast-on-64-bit.patch
 net-sched-bump-refcount-for-new-action-in-act-replace-mode.patch
+cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
+net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch