--- /dev/null
+From 20d5fe2d7103f5c43ad11a3d6d259e9d61165c35 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:20 -0500
+Subject: net: ieee802154: fix nl802154 add llsec key
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 20d5fe2d7103f5c43ad11a3d6d259e9d61165c35 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+ce4e062c2d51977ddc50@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-3-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1544,7 +1544,8 @@ static int nl802154_add_llsec_key(struct
+ struct ieee802154_llsec_key_id id = { };
+ u32 commands[NL802154_CMD_FRAME_NR_IDS / 32] = { };
+
+- if (nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack))
++ if (!info->attrs[NL802154_ATTR_SEC_KEY] ||
++ nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack))
+ return -EINVAL;
+
+ if (!attrs[NL802154_KEY_ATTR_USAGE_FRAMES] ||
--- /dev/null
+From 3d1eac2f45585690d942cf47fd7fbd04093ebd1b Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:19 -0500
+Subject: net: ieee802154: fix nl802154 del llsec dev
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 3d1eac2f45585690d942cf47fd7fbd04093ebd1b upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_DEVICE is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+d946223c2e751d136c94@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-2-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1758,7 +1758,8 @@ static int nl802154_del_llsec_dev(struct
+ struct nlattr *attrs[NL802154_DEV_ATTR_MAX + 1];
+ __le64 extended_addr;
+
+- if (nla_parse_nested_deprecated(attrs, NL802154_DEV_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_DEVICE], nl802154_dev_policy, info->extack))
++ if (!info->attrs[NL802154_ATTR_SEC_DEVICE] ||
++ nla_parse_nested_deprecated(attrs, NL802154_DEV_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_DEVICE], nl802154_dev_policy, info->extack))
+ return -EINVAL;
+
+ if (!attrs[NL802154_DEV_ATTR_EXTENDED_ADDR])
--- /dev/null
+From 27c746869e1a135dffc2f2a80715bb7aa00445b4 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:21 -0500
+Subject: net: ieee802154: fix nl802154 del llsec devkey
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 27c746869e1a135dffc2f2a80715bb7aa00445b4 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_DEVKEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+368672e0da240db53b5f@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-4-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1916,7 +1916,8 @@ static int nl802154_del_llsec_devkey(str
+ struct ieee802154_llsec_device_key key;
+ __le64 extended_addr;
+
+- if (nla_parse_nested_deprecated(attrs, NL802154_DEVKEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_DEVKEY], nl802154_devkey_policy, info->extack))
++ if (!info->attrs[NL802154_ATTR_SEC_DEVKEY] ||
++ nla_parse_nested_deprecated(attrs, NL802154_DEVKEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_DEVKEY], nl802154_devkey_policy, info->extack))
+ return -EINVAL;
+
+ if (!attrs[NL802154_DEVKEY_ATTR_EXTENDED_ADDR])
--- /dev/null
+From 37feaaf5ceb2245e474369312bb7b922ce7bce69 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 21 Feb 2021 12:43:18 -0500
+Subject: net: ieee802154: fix nl802154 del llsec key
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 37feaaf5ceb2245e474369312bb7b922ce7bce69 upstream.
+
+This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is
+not set by the user. If this is the case nl802154 will return -EINVAL.
+
+Reported-by: syzbot+ac5c11d2959a8b3c4806@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210221174321.14210-1-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1592,7 +1592,8 @@ static int nl802154_del_llsec_key(struct
+ struct nlattr *attrs[NL802154_KEY_ATTR_MAX + 1];
+ struct ieee802154_llsec_key_id id;
+
+- if (nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack))
++ if (!info->attrs[NL802154_ATTR_SEC_KEY] ||
++ nla_parse_nested_deprecated(attrs, NL802154_KEY_ATTR_MAX, info->attrs[NL802154_ATTR_SEC_KEY], nl802154_key_policy, info->extack))
+ return -EINVAL;
+
+ if (ieee802154_llsec_parse_key_id(attrs[NL802154_KEY_ATTR_ID], &id) < 0)
--- /dev/null
+From 9dde130937e95b72adfae64ab21d6e7e707e2dac Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:53 -0400
+Subject: net: ieee802154: forbid monitor for del llsec seclevel
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 9dde130937e95b72adfae64ab21d6e7e707e2dac upstream.
+
+This patch forbids to del llsec seclevel for monitor interfaces which we
+don't support yet. Otherwise we will access llsec mib which isn't
+initialized for monitors.
+
+Reported-by: syzbot+fbf4fc11a819824e027b@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-15-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -2092,6 +2092,9 @@ static int nl802154_del_llsec_seclevel(s
+ struct wpan_dev *wpan_dev = dev->ieee802154_ptr;
+ struct ieee802154_llsec_seclevel sl;
+
++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++ return -EOPNOTSUPP;
++
+ if (!info->attrs[NL802154_ATTR_SEC_LEVEL] ||
+ llsec_parse_seclevel(info->attrs[NL802154_ATTR_SEC_LEVEL],
+ &sl) < 0)
--- /dev/null
+From 88c17855ac4291fb462e13a86b7516773b6c932e Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:41 -0400
+Subject: net: ieee802154: forbid monitor for set llsec params
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 88c17855ac4291fb462e13a86b7516773b6c932e upstream.
+
+This patch forbids to set llsec params for monitor interfaces which we
+don't support yet.
+
+Reported-by: syzbot+8b6719da8a04beeafcc3@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-3-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1384,6 +1384,9 @@ static int nl802154_set_llsec_params(str
+ u32 changed = 0;
+ int ret;
+
++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++ return -EOPNOTSUPP;
++
+ if (info->attrs[NL802154_ATTR_SEC_ENABLED]) {
+ u8 enabled;
+
--- /dev/null
+From 6f7f657f24405f426212c09260bf7fe8a52cef33 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 28 Feb 2021 10:18:03 -0500
+Subject: net: ieee802154: nl-mac: fix check on panid
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 6f7f657f24405f426212c09260bf7fe8a52cef33 upstream.
+
+This patch fixes a null pointer derefence for panid handle by move the
+check for the netlink variable directly before accessing them.
+
+Reported-by: syzbot+d4c07de0144f6f63be3a@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210228151817.95700-4-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl-mac.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ieee802154/nl-mac.c
++++ b/net/ieee802154/nl-mac.c
+@@ -551,9 +551,7 @@ ieee802154_llsec_parse_key_id(struct gen
+ desc->mode = nla_get_u8(info->attrs[IEEE802154_ATTR_LLSEC_KEY_MODE]);
+
+ if (desc->mode == IEEE802154_SCF_KEY_IMPLICIT) {
+- if (!info->attrs[IEEE802154_ATTR_PAN_ID] &&
+- !(info->attrs[IEEE802154_ATTR_SHORT_ADDR] ||
+- info->attrs[IEEE802154_ATTR_HW_ADDR]))
++ if (!info->attrs[IEEE802154_ATTR_PAN_ID])
+ return -EINVAL;
+
+ desc->device_addr.pan_id = nla_get_shortaddr(info->attrs[IEEE802154_ATTR_PAN_ID]);
+@@ -562,6 +560,9 @@ ieee802154_llsec_parse_key_id(struct gen
+ desc->device_addr.mode = IEEE802154_ADDR_SHORT;
+ desc->device_addr.short_addr = nla_get_shortaddr(info->attrs[IEEE802154_ATTR_SHORT_ADDR]);
+ } else {
++ if (!info->attrs[IEEE802154_ATTR_HW_ADDR])
++ return -EINVAL;
++
+ desc->device_addr.mode = IEEE802154_ADDR_LONG;
+ desc->device_addr.extended_addr = nla_get_hwaddr(info->attrs[IEEE802154_ATTR_HW_ADDR]);
+ }
--- /dev/null
+From 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Sun, 4 Apr 2021 20:30:54 -0400
+Subject: net: ieee802154: stop dump llsec params for monitors
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 upstream.
+
+This patch stops dumping llsec params for monitors which we don't support
+yet. Otherwise we will access llsec mib which isn't initialized for
+monitors.
+
+Reported-by: syzbot+cde43a581a8e5f317bc2@syzkaller.appspotmail.com
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210405003054.256017-16-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl802154.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -820,8 +820,13 @@ nl802154_send_iface(struct sk_buff *msg,
+ goto nla_put_failure;
+
+ #ifdef CONFIG_IEEE802154_NL802154_EXPERIMENTAL
++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR)
++ goto out;
++
+ if (nl802154_get_llsec_params(msg, rdev, wpan_dev) < 0)
+ goto nla_put_failure;
++
++out:
+ #endif /* CONFIG_IEEE802154_NL802154_EXPERIMENTAL */
+
+ genlmsg_end(msg, hdr);
--- /dev/null
+From 1165affd484889d4986cf3b724318935a0b120d8 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 4 Mar 2021 18:21:25 +0300
+Subject: net: mac802154: Fix general protection fault
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 1165affd484889d4986cf3b724318935a0b120d8 upstream.
+
+syzbot found general protection fault in crypto_destroy_tfm()[1].
+It was caused by wrong clean up loop in llsec_key_alloc().
+If one of the tfm array members is in IS_ERR() range it will
+cause general protection fault in clean up function [1].
+
+Call Trace:
+ crypto_free_aead include/crypto/aead.h:191 [inline] [1]
+ llsec_key_alloc net/mac802154/llsec.c:156 [inline]
+ mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249
+ ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338
+ rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline]
+ nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584
+ genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
+ genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210304152125.1052825-1-paskripkin@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac802154/llsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac802154/llsec.c
++++ b/net/mac802154/llsec.c
+@@ -152,7 +152,7 @@ err_tfm0:
+ crypto_free_sync_skcipher(key->tfm0);
+ err_tfm:
+ for (i = 0; i < ARRAY_SIZE(key->tfm); i++)
+- if (key->tfm[i])
++ if (!IS_ERR_OR_NULL(key->tfm[i]))
+ crypto_free_aead(key->tfm[i]);
+
+ kfree_sensitive(key);
net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
drivers-net-fix-memory-leak-in-atusb_probe.patch
drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
+net-mac802154-fix-general-protection-fault.patch
+net-ieee802154-nl-mac-fix-check-on-panid.patch
+net-ieee802154-fix-nl802154-del-llsec-key.patch
+net-ieee802154-fix-nl802154-del-llsec-dev.patch
+net-ieee802154-fix-nl802154-add-llsec-key.patch
+net-ieee802154-fix-nl802154-del-llsec-devkey.patch
+net-ieee802154-forbid-monitor-for-set-llsec-params.patch
+net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch
+net-ieee802154-stop-dump-llsec-params-for-monitors.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
