--- /dev/null
+From 1b5ab825d9acc0f27d2f25c6252f3526832a9626 Mon Sep 17 00:00:00 2001
+From: Du Cheng <ducheng2@gmail.com>
+Date: Thu, 8 Apr 2021 00:27:56 +0800
+Subject: cfg80211: remove WARN_ON() in cfg80211_sme_connect
+
+From: Du Cheng <ducheng2@gmail.com>
+
+commit 1b5ab825d9acc0f27d2f25c6252f3526832a9626 upstream.
+
+A WARN_ON(wdev->conn) would trigger in cfg80211_sme_connect(), if multiple
+send_msg(NL80211_CMD_CONNECT) system calls are made from the userland, which
+should be anticipated and handled by the wireless driver. Remove this WARN_ON()
+to prevent kernel panic if kernel is configured to "panic_on_warn".
+
+Bug reported by syzbot.
+
+Reported-by: syzbot+5f9392825de654244975@syzkaller.appspotmail.com
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Link: https://lore.kernel.org/r/20210407162756.6101-1-ducheng2@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/sme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -530,7 +530,7 @@ static int cfg80211_sme_connect(struct w
+ cfg80211_sme_free(wdev);
+ }
+
+- if (WARN_ON(wdev->conn))
++ if (wdev->conn)
+ return -EINPROGRESS;
+
+ wdev->conn = kzalloc(sizeof(*wdev->conn), GFP_KERNEL);
--- /dev/null
+From 6b9fbe16955152626557ec6f439f3407b7769941 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 1 Apr 2021 07:46:24 +0300
+Subject: drivers: net: fix memory leak in atusb_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 6b9fbe16955152626557ec6f439f3407b7769941 upstream.
+
+syzbot reported memory leak in atusb_probe()[1].
+The problem was in atusb_alloc_urbs().
+Since urb is anchored, we need to release the reference
+to correctly free the urb
+
+backtrace:
+ [<ffffffff82ba0466>] kmalloc include/linux/slab.h:559 [inline]
+ [<ffffffff82ba0466>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74
+ [<ffffffff82ad3888>] atusb_alloc_urbs drivers/net/ieee802154/atusb.c:362 [inline][2]
+ [<ffffffff82ad3888>] atusb_probe+0x158/0x820 drivers/net/ieee802154/atusb.c:1038 [1]
+
+Reported-by: syzbot+28a246747e0a465127f3@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/atusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -365,6 +365,7 @@ static int atusb_alloc_urbs(struct atusb
+ return -ENOMEM;
+ }
+ usb_anchor_urb(urb, &atusb->idle_urbs);
++ usb_free_urb(urb);
+ n--;
+ }
+ return 0;
--- /dev/null
+From a0b96b4a62745397aee662670cfc2157bac03f55 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 1 Apr 2021 16:27:52 +0300
+Subject: drivers: net: fix memory leak in peak_usb_create_dev
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit a0b96b4a62745397aee662670cfc2157bac03f55 upstream.
+
+syzbot reported memory leak in peak_usb.
+The problem was in case of failure after calling
+->dev_init()[2] in peak_usb_create_dev()[1]. The data
+allocated int dev_init() wasn't freed, so simple
+->dev_free() call fix this problem.
+
+backtrace:
+ [<0000000079d6542a>] kmalloc include/linux/slab.h:552 [inline]
+ [<0000000079d6542a>] kzalloc include/linux/slab.h:682 [inline]
+ [<0000000079d6542a>] pcan_usb_fd_init+0x156/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:868 [2]
+ [<00000000c09f9057>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:851 [inline] [1]
+ [<00000000c09f9057>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:949
+
+Reported-by: syzbot+91adee8d9ebb9193d22d@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -857,7 +857,7 @@ static int peak_usb_create_dev(const str
+ if (dev->adapter->dev_set_bus) {
+ err = dev->adapter->dev_set_bus(dev, 0);
+ if (err)
+- goto lbl_unregister_candev;
++ goto adap_dev_free;
+ }
+
+ /* get device number early */
+@@ -869,6 +869,10 @@ static int peak_usb_create_dev(const str
+
+ return 0;
+
++adap_dev_free:
++ if (dev->adapter->dev_free)
++ dev->adapter->dev_free(dev);
++
+ lbl_unregister_candev:
+ unregister_candev(netdev);
+
--- /dev/null
+From cca8ea3b05c972ffb5295367e6c544369b45fbdd Mon Sep 17 00:00:00 2001
+From: Phillip Potter <phil@philpotter.co.uk>
+Date: Tue, 6 Apr 2021 18:45:54 +0100
+Subject: net: tun: set tun->dev->addr_len during TUNSETLINK processing
+
+From: Phillip Potter <phil@philpotter.co.uk>
+
+commit cca8ea3b05c972ffb5295367e6c544369b45fbdd upstream.
+
+When changing type with TUNSETLINK ioctl command, set tun->dev->addr_len
+to match the appropriate type, using new tun_get_addr_len utility function
+which returns appropriate address length for given type. Fixes a
+KMSAN-found uninit-value bug reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=0766d38c656abeace60621896d705743aeefed51
+
+Reported-by: syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com
+Diagnosed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -69,6 +69,14 @@
+ #include <linux/bpf.h>
+ #include <linux/bpf_trace.h>
+ #include <linux/mutex.h>
++#include <linux/ieee802154.h>
++#include <linux/if_ltalk.h>
++#include <uapi/linux/if_fddi.h>
++#include <uapi/linux/if_hippi.h>
++#include <uapi/linux/if_fc.h>
++#include <net/ax25.h>
++#include <net/rose.h>
++#include <net/6lowpan.h>
+
+ #include <linux/uaccess.h>
+ #include <linux/proc_fs.h>
+@@ -2925,6 +2933,45 @@ static int tun_set_ebpf(struct tun_struc
+ return __tun_set_ebpf(tun, prog_p, prog);
+ }
+
++/* Return correct value for tun->dev->addr_len based on tun->dev->type. */
++static unsigned char tun_get_addr_len(unsigned short type)
++{
++ switch (type) {
++ case ARPHRD_IP6GRE:
++ case ARPHRD_TUNNEL6:
++ return sizeof(struct in6_addr);
++ case ARPHRD_IPGRE:
++ case ARPHRD_TUNNEL:
++ case ARPHRD_SIT:
++ return 4;
++ case ARPHRD_ETHER:
++ return ETH_ALEN;
++ case ARPHRD_IEEE802154:
++ case ARPHRD_IEEE802154_MONITOR:
++ return IEEE802154_EXTENDED_ADDR_LEN;
++ case ARPHRD_PHONET_PIPE:
++ case ARPHRD_PPP:
++ case ARPHRD_NONE:
++ return 0;
++ case ARPHRD_6LOWPAN:
++ return EUI64_ADDR_LEN;
++ case ARPHRD_FDDI:
++ return FDDI_K_ALEN;
++ case ARPHRD_HIPPI:
++ return HIPPI_ALEN;
++ case ARPHRD_IEEE802:
++ return FC_ALEN;
++ case ARPHRD_ROSE:
++ return ROSE_ADDR_LEN;
++ case ARPHRD_NETROM:
++ return AX25_ADDR_LEN;
++ case ARPHRD_LOCALTLK:
++ return LTALK_ALEN;
++ default:
++ return 0;
++ }
++}
++
+ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+ unsigned long arg, int ifreq_len)
+ {
+@@ -3088,6 +3135,7 @@ static long __tun_chr_ioctl(struct file
+ break;
+ }
+ tun->dev->type = (int) arg;
++ tun->dev->addr_len = tun_get_addr_len(tun->dev->type);
+ netif_info(tun, drv, tun->dev, "linktype set to %d\n",
+ tun->dev->type);
+ call_netdevice_notifiers(NETDEV_POST_TYPE_CHANGE,
net-sched-bump-refcount-for-new-action-in-act-replace-mode.patch
x86-traps-correct-exc_general_protection-and-math_error-return-paths.patch
gpiolib-read-gpio-line-names-from-a-firmware-node.patch
+cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
+net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
+drivers-net-fix-memory-leak-in-atusb_probe.patch
+drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
