--- /dev/null
+From a0b96b4a62745397aee662670cfc2157bac03f55 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 1 Apr 2021 16:27:52 +0300
+Subject: drivers: net: fix memory leak in peak_usb_create_dev
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit a0b96b4a62745397aee662670cfc2157bac03f55 upstream.
+
+syzbot reported memory leak in peak_usb.
+The problem was in case of failure after calling
+->dev_init()[2] in peak_usb_create_dev()[1]. The data
+allocated int dev_init() wasn't freed, so simple
+->dev_free() call fix this problem.
+
+backtrace:
+ [<0000000079d6542a>] kmalloc include/linux/slab.h:552 [inline]
+ [<0000000079d6542a>] kzalloc include/linux/slab.h:682 [inline]
+ [<0000000079d6542a>] pcan_usb_fd_init+0x156/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:868 [2]
+ [<00000000c09f9057>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:851 [inline] [1]
+ [<00000000c09f9057>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:949
+
+Reported-by: syzbot+91adee8d9ebb9193d22d@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -856,7 +856,7 @@ static int peak_usb_create_dev(const str
+ if (dev->adapter->dev_set_bus) {
+ err = dev->adapter->dev_set_bus(dev, 0);
+ if (err)
+- goto lbl_unregister_candev;
++ goto adap_dev_free;
+ }
+
+ /* get device number early */
+@@ -868,6 +868,10 @@ static int peak_usb_create_dev(const str
+
+ return 0;
+
++adap_dev_free:
++ if (dev->adapter->dev_free)
++ dev->adapter->dev_free(dev);
++
+ lbl_unregister_candev:
+ unregister_candev(netdev);
+
--- /dev/null
+From 20d5fe2d7103f5c43ad11a3d6d259e9d61165c35 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:20 -0500
+Subject: net: ieee802154: fix nl802154 add llsec key
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 20d5fe2d7103f5c43ad11a3d6d259e9d61165c35 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+ce4e062c2d51977ddc50@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-3-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1560,7 +1560,8 @@ static int nl802154_add_llsec_key(struct
+ struct ieee802154_llsec_key_id id = { };
+ u32 commands[NL802154_CMD_FRAME_NR_IDS / 32] = { };
+
+- if (nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack))
++ if (!info->attrs[NL802154_ATTR_SEC_KEY] ||
++ nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack))
+ return -EINVAL;
+
+ if (!attrs[NL802154_KEY_ATTR_USAGE_FRAMES] ||
--- /dev/null
+From 3d1eac2f45585690d942cf47fd7fbd04093ebd1b Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:19 -0500
+Subject: net: ieee802154: fix nl802154 del llsec dev
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 3d1eac2f45585690d942cf47fd7fbd04093ebd1b upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_DEVICE is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+d946223c2e751d136c94@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-2-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1774,7 +1774,8 @@ static int nl802154_del_llsec_dev(struct
+ struct nlattr *attrs[NL802154_DEV_ATTR_MAX + 1];
+ __le64 extended_addr;
+
+- if (nla_parse_nested_deprecated(attrs, NL802154_DEV_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_DEVICE], nl802154_dev_policy, info->extack))
++ if (!info->attrs[NL802154_ATTR_SEC_DEVICE] ||
++ nla_parse_nested_deprecated(attrs, NL802154_DEV_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_DEVICE], nl802154_dev_policy, info->extack))
+ return -EINVAL;
+
+ if (!attrs[NL802154_DEV_ATTR_EXTENDED_ADDR])
--- /dev/null
+From 27c746869e1a135dffc2f2a80715bb7aa00445b4 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:21 -0500
+Subject: net: ieee802154: fix nl802154 del llsec devkey
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 27c746869e1a135dffc2f2a80715bb7aa00445b4 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_DEVKEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+368672e0da240db53b5f@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-4-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1932,7 +1932,8 @@ static int nl802154_del_llsec_devkey(str
+ struct ieee802154_llsec_device_key key;
+ __le64 extended_addr;
+
+- if (nla_parse_nested_deprecated(attrs, NL802154_DEVKEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_DEVKEY], nl802154_devkey_policy, info->extack))
++ if (!info->attrs[NL802154_ATTR_SEC_DEVKEY] ||
++ nla_parse_nested_deprecated(attrs, NL802154_DEVKEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_DEVKEY], nl802154_devkey_policy, info->extack))
+ return -EINVAL;
+
+ if (!attrs[NL802154_DEVKEY_ATTR_EXTENDED_ADDR])
--- /dev/null
+From 37feaaf5ceb2245e474369312bb7b922ce7bce69 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:18 -0500
+Subject: net: ieee802154: fix nl802154 del llsec key
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 37feaaf5ceb2245e474369312bb7b922ce7bce69 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+ac5c11d2959a8b3c4806@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-1-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1608,7 +1608,8 @@ static int nl802154_del_llsec_key(struct
+ struct nlattr *attrs[NL802154_KEY_ATTR_MAX + 1];
+ struct ieee802154_llsec_key_id id;
+
+- if (nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack))
++ if (!info->attrs[NL802154_ATTR_SEC_KEY] ||
++ nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack))
+ return -EINVAL;
+
+ if (ieee802154_llsec_parse_key_id(attrs[NL802154_KEY_ATTR_ID], &id) < 0)
--- /dev/null
+From 9dde130937e95b72adfae64ab21d6e7e707e2dac Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:53 -0400
+Subject: net: ieee802154: forbid monitor for del llsec seclevel
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 9dde130937e95b72adfae64ab21d6e7e707e2dac upstream.
+
+This patch forbids to del llsec seclevel for monitor interfaces which we
+don't support yet. Otherwise we will access llsec mib which isn't
+initialized for monitors.
+
+Reported-by: syzbot+fbf4fc11a819824e027b@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-15-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -2108,6 +2108,9 @@ static int nl802154_del_llsec_seclevel(s
+ struct wpan_dev *wpan_dev = dev->ieee802154_ptr;
+ struct ieee802154_llsec_seclevel sl;
+
++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++ return -EOPNOTSUPP;
++
+ if (!info->attrs[NL802154_ATTR_SEC_LEVEL] ||
+ llsec_parse_seclevel(info->attrs[NL802154_ATTR_SEC_LEVEL],
+ &sl) < 0)
--- /dev/null
+From 88c17855ac4291fb462e13a86b7516773b6c932e Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:41 -0400
+Subject: net: ieee802154: forbid monitor for set llsec params
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 88c17855ac4291fb462e13a86b7516773b6c932e upstream.
+
+This patch forbids to set llsec params for monitor interfaces which we
+don't support yet.
+
+Reported-by: syzbot+8b6719da8a04beeafcc3@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-3-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1400,6 +1400,9 @@ static int nl802154_set_llsec_params(str
+ u32 changed = 0;
+ int ret;
+
++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++ return -EOPNOTSUPP;
++
+ if (info->attrs[NL802154_ATTR_SEC_ENABLED]) {
+ u8 enabled;
+
--- /dev/null
+From 6f7f657f24405f426212c09260bf7fe8a52cef33 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 28 Feb 2021 10:18:03 -0500
+Subject: net: ieee802154: nl-mac: fix check on panid
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 6f7f657f24405f426212c09260bf7fe8a52cef33 upstream.
+
+This patch fixes a null pointer derefence for panid handle by move the
+check for the netlink variable directly before accessing them.
+
+Reported-by: syzbot+d4c07de0144f6f63be3a@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210228151817.95700-4-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl-mac.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ieee802154/nl-mac.c
++++ b/net/ieee802154/nl-mac.c
+@@ -551,9 +551,7 @@ ieee802154_llsec_parse_key_id(struct gen
+ desc->mode = nla_get_u8(info->attrs[IEEE802154_ATTR_LLSEC_KEY_MODE]);
+
+ if (desc->mode == IEEE802154_SCF_KEY_IMPLICIT) {
+- if (!info->attrs[IEEE802154_ATTR_PAN_ID] &&
+- !(info->attrs[IEEE802154_ATTR_SHORT_ADDR] ||
+- info->attrs[IEEE802154_ATTR_HW_ADDR]))
++ if (!info->attrs[IEEE802154_ATTR_PAN_ID])
+ return -EINVAL;
+
+ desc->device_addr.pan_id = nla_get_shortaddr(info->attrs[IEEE802154_ATTR_PAN_ID]);
+@@ -562,6 +560,9 @@ ieee802154_llsec_parse_key_id(struct gen
+ desc->device_addr.mode = IEEE802154_ADDR_SHORT;
+ desc->device_addr.short_addr = nla_get_shortaddr(info->attrs[IEEE802154_ATTR_SHORT_ADDR]);
+ } else {
++ if (!info->attrs[IEEE802154_ATTR_HW_ADDR])
++ return -EINVAL;
++
+ desc->device_addr.mode = IEEE802154_ADDR_LONG;
+ desc->device_addr.extended_addr = nla_get_hwaddr(info->attrs[IEEE802154_ATTR_HW_ADDR]);
+ }
--- /dev/null
+From 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:54 -0400
+Subject: net: ieee802154: stop dump llsec params for monitors
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 upstream.
+
+This patch stops dumping llsec params for monitors which we don't support
+yet. Otherwise we will access llsec mib which isn't initialized for
+monitors.
+
+Reported-by: syzbot+cde43a581a8e5f317bc2@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-16-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -836,8 +836,13 @@ nl802154_send_iface(struct sk_buff *msg,
+ goto nla_put_failure;
+
+ #ifdef CONFIG_IEEE802154_NL802154_EXPERIMENTAL
++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++ goto out;
++
+ if (nl802154_get_llsec_params(msg, rdev, wpan_dev) < 0)
+ goto nla_put_failure;
++
++out:
+ #endif /* CONFIG_IEEE802154_NL802154_EXPERIMENTAL */
+
+ genlmsg_end(msg, hdr);
--- /dev/null
+From 1165affd484889d4986cf3b724318935a0b120d8 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 4 Mar 2021 18:21:25 +0300
+Subject: net: mac802154: Fix general protection fault
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 1165affd484889d4986cf3b724318935a0b120d8 upstream.
+
+syzbot found general protection fault in crypto_destroy_tfm()[1].
+It was caused by wrong clean up loop in llsec_key_alloc().
+If one of the tfm array members is in IS_ERR() range it will
+cause general protection fault in clean up function [1].
+
+Call Trace:
+ crypto_free_aead include/crypto/aead.h:191 [inline] [1]
+ llsec_key_alloc net/mac802154/llsec.c:156 [inline]
+ mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
+ ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
+ rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
+ nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
+ genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
+ genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210304152125.1052825-1-paskripkin@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac802154/llsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac802154/llsec.c
++++ b/net/mac802154/llsec.c
+@@ -152,7 +152,7 @@ err_tfm0:
+ crypto_free_sync_skcipher(key->tfm0);
+ err_tfm:
+ for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
+- if (key->tfm[i])
++ if (!IS_ERR_OR_NULL(key->tfm[i]))
+ crypto_free_aead(key->tfm[i]);
+
+ kzfree(key);
cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
drivers-net-fix-memory-leak-in-atusb_probe.patch
+drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
+net-mac802154-fix-general-protection-fault.patch
+net-ieee802154-nl-mac-fix-check-on-panid.patch
+net-ieee802154-fix-nl802154-del-llsec-key.patch
+net-ieee802154-fix-nl802154-del-llsec-dev.patch
+net-ieee802154-fix-nl802154-add-llsec-key.patch
+net-ieee802154-fix-nl802154-del-llsec-devkey.patch
+net-ieee802154-forbid-monitor-for-set-llsec-params.patch
+net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch
+net-ieee802154-stop-dump-llsec-params-for-monitors.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
