]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.14-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 12 Apr 2021 07:47:26 +0000 (09:47 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 12 Apr 2021 07:47:26 +0000 (09:47 +0200)
added patches:
drivers-net-fix-memory-leak-in-atusb_probe.patch
drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
net-ieee802154-fix-nl802154-add-llsec-key.patch
net-ieee802154-fix-nl802154-del-llsec-dev.patch
net-ieee802154-fix-nl802154-del-llsec-devkey.patch
net-ieee802154-fix-nl802154-del-llsec-key.patch
net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch
net-ieee802154-forbid-monitor-for-set-llsec-params.patch
net-ieee802154-nl-mac-fix-check-on-panid.patch
net-ieee802154-stop-dump-llsec-params-for-monitors.patch
net-mac802154-fix-general-protection-fault.patch

12 files changed:
queue-4.14/drivers-net-fix-memory-leak-in-atusb_probe.patch [new file with mode: 0644]
queue-4.14/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch [new file with mode: 0644]
queue-4.14/net-ieee802154-fix-nl802154-add-llsec-key.patch [new file with mode: 0644]
queue-4.14/net-ieee802154-fix-nl802154-del-llsec-dev.patch [new file with mode: 0644]
queue-4.14/net-ieee802154-fix-nl802154-del-llsec-devkey.patch [new file with mode: 0644]
queue-4.14/net-ieee802154-fix-nl802154-del-llsec-key.patch [new file with mode: 0644]
queue-4.14/net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch [new file with mode: 0644]
queue-4.14/net-ieee802154-forbid-monitor-for-set-llsec-params.patch [new file with mode: 0644]
queue-4.14/net-ieee802154-nl-mac-fix-check-on-panid.patch [new file with mode: 0644]
queue-4.14/net-ieee802154-stop-dump-llsec-params-for-monitors.patch [new file with mode: 0644]
queue-4.14/net-mac802154-fix-general-protection-fault.patch [new file with mode: 0644]
queue-4.14/series

diff --git a/queue-4.14/drivers-net-fix-memory-leak-in-atusb_probe.patch b/queue-4.14/drivers-net-fix-memory-leak-in-atusb_probe.patch
new file mode 100644 (file)
index 0000000..b138aa0
--- /dev/null
@@ -0,0 +1,38 @@
+From 6b9fbe16955152626557ec6f439f3407b7769941 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 1 Apr 2021 07:46:24 +0300
+Subject: drivers: net: fix memory leak in atusb_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 6b9fbe16955152626557ec6f439f3407b7769941 upstream.
+
+syzbot reported memory leak in atusb_probe()[1].
+The problem was in atusb_alloc_urbs().
+Since urb is anchored, we need to release the reference
+to correctly free the urb
+
+backtrace:
+    [<ffffffff82ba0466>] kmalloc include/linux/slab.h:559 [inline]
+    [<ffffffff82ba0466>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74
+    [<ffffffff82ad3888>] atusb_alloc_urbs drivers/net/ieee802154/atusb.c:362 [inline][2]
+    [<ffffffff82ad3888>] atusb_probe+0x158/0x820 drivers/net/ieee802154/atusb.c:1038 [1]
+
+Reported-by: syzbot+28a246747e0a465127f3@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/atusb.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -346,6 +346,7 @@ static int atusb_alloc_urbs(struct atusb
+                       return -ENOMEM;
+               }
+               usb_anchor_urb(urb, &atusb->idle_urbs);
++              usb_free_urb(urb);
+               n--;
+       }
+       return 0;
diff --git a/queue-4.14/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch b/queue-4.14/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
new file mode 100644 (file)
index 0000000..921fad4
--- /dev/null
@@ -0,0 +1,52 @@
+From a0b96b4a62745397aee662670cfc2157bac03f55 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 1 Apr 2021 16:27:52 +0300
+Subject: drivers: net: fix memory leak in peak_usb_create_dev
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit a0b96b4a62745397aee662670cfc2157bac03f55 upstream.
+
+syzbot reported memory leak in peak_usb.
+The problem was in case of failure after calling
+->dev_init()[2] in peak_usb_create_dev()[1]. The data
+allocated int dev_init() wasn't freed, so simple
+->dev_free() call fix this problem.
+
+backtrace:
+    [<0000000079d6542a>] kmalloc include/linux/slab.h:552 [inline]
+    [<0000000079d6542a>] kzalloc include/linux/slab.h:682 [inline]
+    [<0000000079d6542a>] pcan_usb_fd_init+0x156/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:868   [2]
+    [<00000000c09f9057>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:851 [inline] [1]
+    [<00000000c09f9057>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:949
+
+Reported-by: syzbot+91adee8d9ebb9193d22d@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -882,7 +882,7 @@ static int peak_usb_create_dev(const str
+       if (dev->adapter->dev_set_bus) {
+               err = dev->adapter->dev_set_bus(dev, 0);
+               if (err)
+-                      goto lbl_unregister_candev;
++                      goto adap_dev_free;
+       }
+       /* get device number early */
+@@ -894,6 +894,10 @@ static int peak_usb_create_dev(const str
+       return 0;
++adap_dev_free:
++      if (dev->adapter->dev_free)
++              dev->adapter->dev_free(dev);
++
+ lbl_unregister_candev:
+       unregister_candev(netdev);
diff --git a/queue-4.14/net-ieee802154-fix-nl802154-add-llsec-key.patch b/queue-4.14/net-ieee802154-fix-nl802154-add-llsec-key.patch
new file mode 100644 (file)
index 0000000..dd0d313
--- /dev/null
@@ -0,0 +1,33 @@
+From 20d5fe2d7103f5c43ad11a3d6d259e9d61165c35 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:20 -0500
+Subject: net: ieee802154: fix nl802154 add llsec key
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 20d5fe2d7103f5c43ad11a3d6d259e9d61165c35 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+ce4e062c2d51977ddc50@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-3-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1562,7 +1562,8 @@ static int nl802154_add_llsec_key(struct
+       struct ieee802154_llsec_key_id id = { };
+       u32 commands[NL802154_CMD_FRAME_NR_IDS / 32] = { };
+-      if (nla_parse_nested(attrs, NL802154_KEY_ATTR_MAX,
++      if (!info->attrs[NL802154_ATTR_SEC_KEY] ||
++          nla_parse_nested(attrs, NL802154_KEY_ATTR_MAX,
+                            info->attrs[NL802154_ATTR_SEC_KEY],
+                            nl802154_key_policy, info->extack))
+               return -EINVAL;
diff --git a/queue-4.14/net-ieee802154-fix-nl802154-del-llsec-dev.patch b/queue-4.14/net-ieee802154-fix-nl802154-del-llsec-dev.patch
new file mode 100644 (file)
index 0000000..5814b3c
--- /dev/null
@@ -0,0 +1,33 @@
+From 3d1eac2f45585690d942cf47fd7fbd04093ebd1b Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:19 -0500
+Subject: net: ieee802154: fix nl802154 del llsec dev
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 3d1eac2f45585690d942cf47fd7fbd04093ebd1b upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_DEVICE is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+d946223c2e751d136c94@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-2-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1781,7 +1781,8 @@ static int nl802154_del_llsec_dev(struct
+       struct nlattr *attrs[NL802154_DEV_ATTR_MAX + 1];
+       __le64 extended_addr;
+-      if (nla_parse_nested(attrs, NL802154_DEV_ATTR_MAX,
++      if (!info->attrs[NL802154_ATTR_SEC_DEVICE] ||
++          nla_parse_nested(attrs, NL802154_DEV_ATTR_MAX,
+                            info->attrs[NL802154_ATTR_SEC_DEVICE],
+                            nl802154_dev_policy, info->extack))
+               return -EINVAL;
diff --git a/queue-4.14/net-ieee802154-fix-nl802154-del-llsec-devkey.patch b/queue-4.14/net-ieee802154-fix-nl802154-del-llsec-devkey.patch
new file mode 100644 (file)
index 0000000..d826c3d
--- /dev/null
@@ -0,0 +1,33 @@
+From 27c746869e1a135dffc2f2a80715bb7aa00445b4 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:21 -0500
+Subject: net: ieee802154: fix nl802154 del llsec devkey
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 27c746869e1a135dffc2f2a80715bb7aa00445b4 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_DEVKEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+368672e0da240db53b5f@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-4-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1943,7 +1943,8 @@ static int nl802154_del_llsec_devkey(str
+       struct ieee802154_llsec_device_key key;
+       __le64 extended_addr;
+-      if (nla_parse_nested(attrs, NL802154_DEVKEY_ATTR_MAX,
++      if (!info->attrs[NL802154_ATTR_SEC_DEVKEY] ||
++          nla_parse_nested(attrs, NL802154_DEVKEY_ATTR_MAX,
+                            info->attrs[NL802154_ATTR_SEC_DEVKEY],
+                            nl802154_devkey_policy, info->extack))
+               return -EINVAL;
diff --git a/queue-4.14/net-ieee802154-fix-nl802154-del-llsec-key.patch b/queue-4.14/net-ieee802154-fix-nl802154-del-llsec-key.patch
new file mode 100644 (file)
index 0000000..8794a94
--- /dev/null
@@ -0,0 +1,33 @@
+From 37feaaf5ceb2245e474369312bb7b922ce7bce69 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:18 -0500
+Subject: net: ieee802154: fix nl802154 del llsec key
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 37feaaf5ceb2245e474369312bb7b922ce7bce69 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+ac5c11d2959a8b3c4806@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-1-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1612,7 +1612,8 @@ static int nl802154_del_llsec_key(struct
+       struct nlattr *attrs[NL802154_KEY_ATTR_MAX + 1];
+       struct ieee802154_llsec_key_id id;
+-      if (nla_parse_nested(attrs, NL802154_KEY_ATTR_MAX,
++      if (!info->attrs[NL802154_ATTR_SEC_KEY] ||
++          nla_parse_nested(attrs, NL802154_KEY_ATTR_MAX,
+                            info->attrs[NL802154_ATTR_SEC_KEY],
+                            nl802154_key_policy, info->extack))
+               return -EINVAL;
diff --git a/queue-4.14/net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch b/queue-4.14/net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch
new file mode 100644 (file)
index 0000000..3e62022
--- /dev/null
@@ -0,0 +1,34 @@
+From 9dde130937e95b72adfae64ab21d6e7e707e2dac Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:53 -0400
+Subject: net: ieee802154: forbid monitor for del llsec seclevel
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 9dde130937e95b72adfae64ab21d6e7e707e2dac upstream.
+
+This patch forbids to del llsec seclevel for monitor interfaces which we
+don't support yet. Otherwise we will access llsec mib which isn't
+initialized for monitors.
+
+Reported-by: syzbot+fbf4fc11a819824e027b@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-15-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -2122,6 +2122,9 @@ static int nl802154_del_llsec_seclevel(s
+       struct wpan_dev *wpan_dev = dev->ieee802154_ptr;
+       struct ieee802154_llsec_seclevel sl;
++      if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++              return -EOPNOTSUPP;
++
+       if (!info->attrs[NL802154_ATTR_SEC_LEVEL] ||
+           llsec_parse_seclevel(info->attrs[NL802154_ATTR_SEC_LEVEL],
+                                &sl) < 0)
diff --git a/queue-4.14/net-ieee802154-forbid-monitor-for-set-llsec-params.patch b/queue-4.14/net-ieee802154-forbid-monitor-for-set-llsec-params.patch
new file mode 100644 (file)
index 0000000..2f90d95
--- /dev/null
@@ -0,0 +1,33 @@
+From 88c17855ac4291fb462e13a86b7516773b6c932e Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:41 -0400
+Subject: net: ieee802154: forbid monitor for set llsec params
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 88c17855ac4291fb462e13a86b7516773b6c932e upstream.
+
+This patch forbids to set llsec params for monitor interfaces which we
+don't support yet.
+
+Reported-by: syzbot+8b6719da8a04beeafcc3@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-3-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1402,6 +1402,9 @@ static int nl802154_set_llsec_params(str
+       u32 changed = 0;
+       int ret;
++      if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++              return -EOPNOTSUPP;
++
+       if (info->attrs[NL802154_ATTR_SEC_ENABLED]) {
+               u8 enabled;
diff --git a/queue-4.14/net-ieee802154-nl-mac-fix-check-on-panid.patch b/queue-4.14/net-ieee802154-nl-mac-fix-check-on-panid.patch
new file mode 100644 (file)
index 0000000..95ff06c
--- /dev/null
@@ -0,0 +1,44 @@
+From 6f7f657f24405f426212c09260bf7fe8a52cef33 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 28 Feb 2021 10:18:03 -0500
+Subject: net: ieee802154: nl-mac: fix check on panid
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 6f7f657f24405f426212c09260bf7fe8a52cef33 upstream.
+
+This patch fixes a null pointer derefence for panid handle by move the
+check for the netlink variable directly before accessing them.
+
+Reported-by: syzbot+d4c07de0144f6f63be3a@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210228151817.95700-4-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl-mac.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ieee802154/nl-mac.c
++++ b/net/ieee802154/nl-mac.c
+@@ -559,9 +559,7 @@ ieee802154_llsec_parse_key_id(struct gen
+       desc->mode = nla_get_u8(info->attrs[IEEE802154_ATTR_LLSEC_KEY_MODE]);
+       if (desc->mode == IEEE802154_SCF_KEY_IMPLICIT) {
+-              if (!info->attrs[IEEE802154_ATTR_PAN_ID] &&
+-                  !(info->attrs[IEEE802154_ATTR_SHORT_ADDR] ||
+-                    info->attrs[IEEE802154_ATTR_HW_ADDR]))
++              if (!info->attrs[IEEE802154_ATTR_PAN_ID])
+                       return -EINVAL;
+               desc->device_addr.pan_id = nla_get_shortaddr(info->attrs[IEEE802154_ATTR_PAN_ID]);
+@@ -570,6 +568,9 @@ ieee802154_llsec_parse_key_id(struct gen
+                       desc->device_addr.mode = IEEE802154_ADDR_SHORT;
+                       desc->device_addr.short_addr = nla_get_shortaddr(info->attrs[IEEE802154_ATTR_SHORT_ADDR]);
+               } else {
++                      if (!info->attrs[IEEE802154_ATTR_HW_ADDR])
++                              return -EINVAL;
++
+                       desc->device_addr.mode = IEEE802154_ADDR_LONG;
+                       desc->device_addr.extended_addr = nla_get_hwaddr(info->attrs[IEEE802154_ATTR_HW_ADDR]);
+               }
diff --git a/queue-4.14/net-ieee802154-stop-dump-llsec-params-for-monitors.patch b/queue-4.14/net-ieee802154-stop-dump-llsec-params-for-monitors.patch
new file mode 100644 (file)
index 0000000..6e7bade
--- /dev/null
@@ -0,0 +1,38 @@
+From 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:54 -0400
+Subject: net: ieee802154: stop dump llsec params for monitors
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 upstream.
+
+This patch stops dumping llsec params for monitors which we don't support
+yet. Otherwise we will access llsec mib which isn't initialized for
+monitors.
+
+Reported-by: syzbot+cde43a581a8e5f317bc2@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-16-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -836,8 +836,13 @@ nl802154_send_iface(struct sk_buff *msg,
+               goto nla_put_failure;
+ #ifdef CONFIG_IEEE802154_NL802154_EXPERIMENTAL
++      if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++              goto out;
++
+       if (nl802154_get_llsec_params(msg, rdev, wpan_dev) < 0)
+               goto nla_put_failure;
++
++out:
+ #endif /* CONFIG_IEEE802154_NL802154_EXPERIMENTAL */
+       genlmsg_end(msg, hdr);
diff --git a/queue-4.14/net-mac802154-fix-general-protection-fault.patch b/queue-4.14/net-mac802154-fix-general-protection-fault.patch
new file mode 100644 (file)
index 0000000..9be6294
--- /dev/null
@@ -0,0 +1,58 @@
+From 1165affd484889d4986cf3b724318935a0b120d8 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 4 Mar 2021 18:21:25 +0300
+Subject: net: mac802154: Fix general protection fault
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 1165affd484889d4986cf3b724318935a0b120d8 upstream.
+
+syzbot found general protection fault in crypto_destroy_tfm()[1].
+It was caused by wrong clean up loop in llsec_key_alloc().
+If one of the tfm array members is in IS_ERR() range it will
+cause general protection fault in clean up function [1].
+
+Call Trace:
+ crypto_free_aead include/crypto/aead.h:191 [inline] [1]
+ llsec_key_alloc net/mac802154/llsec.c:156 [inline]
+ mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
+ ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
+ rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
+ nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
+ genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
+ genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210304152125.1052825-1-paskripkin@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac802154/llsec.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac802154/llsec.c
++++ b/net/mac802154/llsec.c
+@@ -160,7 +160,7 @@ err_tfm0:
+       crypto_free_skcipher(key->tfm0);
+ err_tfm:
+       for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
+-              if (key->tfm[i])
++              if (!IS_ERR_OR_NULL(key->tfm[i]))
+                       crypto_free_aead(key->tfm[i]);
+       kzfree(key);
index fd85d9325fcea326526698a44b409b74a59c44b6..9cee7678c138d6a666470ad2241d733cd70c4a9c 100644 (file)
@@ -45,3 +45,14 @@ net-ncsi-avoid-gfp_kernel-in-response-handler.patch
 usbip-fix-vudc-usbip_sockfd_store-races-leading-to-gpf.patch
 cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
 net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
+drivers-net-fix-memory-leak-in-atusb_probe.patch
+drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
+net-mac802154-fix-general-protection-fault.patch
+net-ieee802154-nl-mac-fix-check-on-panid.patch
+net-ieee802154-fix-nl802154-del-llsec-key.patch
+net-ieee802154-fix-nl802154-del-llsec-dev.patch
+net-ieee802154-fix-nl802154-add-llsec-key.patch
+net-ieee802154-fix-nl802154-del-llsec-devkey.patch
+net-ieee802154-forbid-monitor-for-set-llsec-params.patch
+net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch
+net-ieee802154-stop-dump-llsec-params-for-monitors.patch