--- /dev/null
+From ab9e0c529eb7cafebdd31fe1644524e80a48b05d Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Sat, 29 Jun 2024 14:42:13 +0200
+Subject: ata: libata-core: Fix double free on error
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit ab9e0c529eb7cafebdd31fe1644524e80a48b05d upstream.
+
+If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
+to the err_out label, which will call devres_release_group().
+devres_release_group() will trigger a call to ata_host_release().
+ata_host_release() calls kfree(host), so executing the kfree(host) in
+ata_host_alloc() will lead to a double free:
+
+kernel BUG at mm/slub.c:553!
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:kfree+0x2cf/0x2f0
+Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
+RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
+RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
+RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
+RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
+R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
+FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ ? __die_body.cold+0x19/0x27
+ ? die+0x2e/0x50
+ ? do_trap+0xca/0x110
+ ? do_error_trap+0x6a/0x90
+ ? kfree+0x2cf/0x2f0
+ ? exc_invalid_op+0x50/0x70
+ ? kfree+0x2cf/0x2f0
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? ata_host_alloc+0xf5/0x120 [libata]
+ ? ata_host_alloc+0xf5/0x120 [libata]
+ ? kfree+0x2cf/0x2f0
+ ata_host_alloc+0xf5/0x120 [libata]
+ ata_host_alloc_pinfo+0x14/0xa0 [libata]
+ ahci_init_one+0x6c9/0xd20 [ahci]
+
+Ensure that we will not call kfree(host) twice, by performing the kfree()
+only if the devres_open_group() call failed.
+
+Fixes: dafd6c496381 ("libata: ensure host is free'd on error exit paths")
+Cc: stable@vger.kernel.org
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20240629124210.181537-9-cassel@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6212,8 +6212,10 @@ struct ata_host *ata_host_alloc(struct d
+ if (!host)
+ return NULL;
+
+- if (!devres_open_group(dev, NULL, GFP_KERNEL))
+- goto err_free;
++ if (!devres_open_group(dev, NULL, GFP_KERNEL)) {
++ kfree(host);
++ return NULL;
++ }
+
+ dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
+ if (!dr)
+@@ -6245,8 +6247,6 @@ struct ata_host *ata_host_alloc(struct d
+
+ err_out:
+ devres_release_group(dev, NULL);
+- err_free:
+- kfree(host);
+ return NULL;
+ }
+
--- /dev/null
+From 537a350d14321c8cca5efbf0a33a404fec3a9f9e Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 4 May 2024 21:57:30 +0200
+Subject: batman-adv: Don't accept TT entries for out-of-spec VIDs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 537a350d14321c8cca5efbf0a33a404fec3a9f9e upstream.
+
+The internal handling of VLAN IDs in batman-adv is only specified for
+following encodings:
+
+* VLAN is used
+ - bit 15 is 1
+ - bit 11 - bit 0 is the VLAN ID (0-4095)
+ - remaining bits are 0
+* No VLAN is used
+ - bit 15 is 0
+ - remaining bits are 0
+
+batman-adv was only preparing new translation table entries (based on its
+soft interface information) using this encoding format. But the receive
+path was never checking if entries in the roam or TT TVLVs were also
+following this encoding.
+
+It was therefore possible to create more than the expected maximum of 4096
++ 1 entries in the originator VLAN list. Simply by setting the "remaining
+bits" to "random" values in corresponding TVLV.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/originator.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/net/batman-adv/originator.c
++++ b/net/batman-adv/originator.c
+@@ -23,6 +23,7 @@
+ #include <linux/errno.h>
+ #include <linux/etherdevice.h>
+ #include <linux/gfp.h>
++#include <linux/if_vlan.h>
+ #include <linux/jiffies.h>
+ #include <linux/kernel.h>
+ #include <linux/kref.h>
+@@ -144,6 +145,29 @@ batadv_orig_node_vlan_get(struct batadv_
+ }
+
+ /**
++ * batadv_vlan_id_valid() - check if vlan id is in valid batman-adv encoding
++ * @vid: the VLAN identifier
++ *
++ * Return: true when either no vlan is set or if VLAN is in correct range,
++ * false otherwise
++ */
++static bool batadv_vlan_id_valid(unsigned short vid)
++{
++ unsigned short non_vlan = vid & ~(BATADV_VLAN_HAS_TAG | VLAN_VID_MASK);
++
++ if (vid == 0)
++ return true;
++
++ if (!(vid & BATADV_VLAN_HAS_TAG))
++ return false;
++
++ if (non_vlan)
++ return false;
++
++ return true;
++}
++
++/**
+ * batadv_orig_node_vlan_new() - search and possibly create an orig_node_vlan
+ * object
+ * @orig_node: the originator serving the VLAN
+@@ -161,6 +185,9 @@ batadv_orig_node_vlan_new(struct batadv_
+ {
+ struct batadv_orig_node_vlan *vlan;
+
++ if (!batadv_vlan_id_valid(vid))
++ return NULL;
++
+ spin_lock_bh(&orig_node->vlan_list_lock);
+
+ /* first look if an object for this vid already exists */
projects / thirdparty / kernel / stable-queue.git / commitdiff
