5.4-stable patches

added patches:
	net-usb-fix-memory-leak-in-smsc75xx_bind.patch
	spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch

diff --git a/queue-5.4/net-usb-fix-memory-leak-in-smsc75xx_bind.patch b/queue-5.4/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
new file mode 100644 (file)
index 0000000..b5ba8c6
--- /dev/null
+++ b/queue-5.4/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
@@ -0,0 +1,60 @@
+From 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Mon, 24 May 2021 23:02:08 +0300
+Subject: net: usb: fix memory leak in smsc75xx_bind
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 upstream.
+
+Syzbot reported memory leak in smsc75xx_bind().
+The problem was is non-freed memory in case of
+errors after memory allocation.
+
+backtrace:
+  [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]
+  [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]
+  [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460
+  [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728
+
+Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
+Cc: stable@kernel.vger.org
+Reported-and-tested-by: syzbot+b558506ba8165425fee2@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/smsc75xx.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1482,7 +1482,7 @@ static int smsc75xx_bind(struct usbnet *
+       ret = smsc75xx_wait_ready(dev, 0);
+       if (ret < 0) {
+               netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
+-              return ret;
++              goto err;
+       }
+ 
+       smsc75xx_init_mac_address(dev);
+@@ -1491,7 +1491,7 @@ static int smsc75xx_bind(struct usbnet *
+       ret = smsc75xx_reset(dev);
+       if (ret < 0) {
+               netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
+-              return ret;
++              goto err;
+       }
+ 
+       dev->net->netdev_ops = &smsc75xx_netdev_ops;
+@@ -1501,6 +1501,10 @@ static int smsc75xx_bind(struct usbnet *
+       dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len;
+       dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE;
+       return 0;
++
++err:
++      kfree(pdata);
++      return ret;
+ }
+ 
+ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)

diff --git a/queue-5.4/series b/queue-5.4/series
index 846990a5aac0165f1a1544617fd963ee945b9052..81940e29e44d10a831ac5e6fb51313d0e7c99526 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -60,3 +60,5 @@ usb-serial-pl2303-add-device-id-for-adlink-nd-6530-gc.patch
 thermal-drivers-intel-initialize-rw-trip-to-thermal_temp_invalid.patch
 usb-dwc3-gadget-properly-track-pending-and-queued-sg.patch
 usb-gadget-udc-renesas_usb3-fix-a-race-in-usb3_start_pipen.patch
+net-usb-fix-memory-leak-in-smsc75xx_bind.patch
+spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch

diff --git a/queue-5.4/spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch b/queue-5.4/spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch
new file mode 100644 (file)
index 0000000..51b022f
--- /dev/null
+++ b/queue-5.4/spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch
@@ -0,0 +1,56 @@
+From 8f96c434dfbc85ffa755d6634c8c1cb2233fcf24 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 7 Dec 2020 09:17:02 +0100
+Subject: spi: spi-geni-qcom: Fix use-after-free on unbind
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 8f96c434dfbc85ffa755d6634c8c1cb2233fcf24 upstream.
+
+spi_geni_remove() accesses the driver's private data after calling
+spi_unregister_master() even though that function releases the last
+reference on the spi_master and thereby frees the private data.
+
+Moreover, since commit 1a9e489e6128 ("spi: spi-geni-qcom: Use OPP API to
+set clk/perf state"), spi_geni_probe() leaks the spi_master allocation
+if the calls to dev_pm_opp_set_clkname() or dev_pm_opp_of_add_table()
+fail.
+
+Fix by switching over to the new devm_spi_alloc_master() helper which
+keeps the private data accessible until the driver has unbound and also
+avoids the spi_master leak on probe.
+
+Fixes: 561de45f72bd ("spi: spi-geni-qcom: Add SPI driver support for GENI based QUP")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.20+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v4.20+
+Cc: Rajendra Nayak <rnayak@codeaurora.org>
+Cc: Girish Mahadevan <girishm@codeaurora.org>
+Link: https://lore.kernel.org/r/dfa1d8c41b8acdfad87ec8654cd124e6e3cb3f31.1607286887.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[lukas: backport to v5.4.123]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-geni-qcom.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-geni-qcom.c
++++ b/drivers/spi/spi-geni-qcom.c
+@@ -552,7 +552,7 @@ static int spi_geni_probe(struct platfor
+               return PTR_ERR(clk);
+       }
+ 
+-      spi = spi_alloc_master(&pdev->dev, sizeof(*mas));
++      spi = devm_spi_alloc_master(&pdev->dev, sizeof(*mas));
+       if (!spi)
+               return -ENOMEM;
+ 
+@@ -599,7 +599,6 @@ spi_geni_probe_free_irq:
+       free_irq(mas->irq, spi);
+ spi_geni_probe_runtime_disable:
+       pm_runtime_disable(&pdev->dev);
+-      spi_master_put(spi);
+       return ret;
+ }
+