--- /dev/null
+From 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 Mon Sep 17 00:00:00 2001
+From: "F.A.Sulaiman" <asha.16@itfac.mrt.ac.lk>
+Date: Tue, 24 Aug 2021 20:37:30 +0530
+Subject: HID: betop: fix slab-out-of-bounds Write in betop_probe
+
+From: F.A.Sulaiman <asha.16@itfac.mrt.ac.lk>
+
+commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream.
+
+Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver.
+The problem is the driver assumes the device must have an input report but
+some malicious devices violate this assumption.
+
+So this patch checks hid_device's input is non empty before it's been used.
+
+Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com
+Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>
+Reviewed-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-betopff.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-betopff.c
++++ b/drivers/hid/hid-betopff.c
+@@ -59,15 +59,22 @@ static int betopff_init(struct hid_devic
+ {
+ struct betopff_device *betopff;
+ struct hid_report *report;
+- struct hid_input *hidinput =
+- list_first_entry(&hid->inputs, struct hid_input, list);
++ struct hid_input *hidinput;
+ struct list_head *report_list =
+ &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+- struct input_dev *dev = hidinput->input;
++ struct input_dev *dev;
+ int field_count = 0;
+ int error;
+ int i, j;
+
++ if (list_empty(&hid->inputs)) {
++ hid_err(hid, "no inputs found\n");
++ return -ENODEV;
++ }
++
++ hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
++ dev = hidinput->input;
++
+ if (list_empty(report_list)) {
+ hid_err(hid, "no output reports found\n");
+ return -ENODEV;
--- /dev/null
+From f7744fa16b96da57187dc8e5634152d3b63d72de Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Thu, 24 Jun 2021 00:10:29 +0530
+Subject: HID: usbhid: free raw_report buffers in usbhid_stop
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit f7744fa16b96da57187dc8e5634152d3b63d72de upstream.
+
+Free the unsent raw_report buffers when the device is removed.
+
+Fixes a memory leak reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47
+
+Reported-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
+Tested-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/usbhid/hid-core.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -506,7 +506,7 @@ static void hid_ctrl(struct urb *urb)
+
+ if (unplug) {
+ usbhid->ctrltail = usbhid->ctrlhead;
+- } else {
++ } else if (usbhid->ctrlhead != usbhid->ctrltail) {
+ usbhid->ctrltail = (usbhid->ctrltail + 1) & (HID_CONTROL_FIFO_SIZE - 1);
+
+ if (usbhid->ctrlhead != usbhid->ctrltail &&
+@@ -1224,9 +1224,20 @@ static void usbhid_stop(struct hid_devic
+ mutex_lock(&usbhid->mutex);
+
+ clear_bit(HID_STARTED, &usbhid->iofl);
++
+ spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */
+ set_bit(HID_DISCONNECTED, &usbhid->iofl);
++ while (usbhid->ctrltail != usbhid->ctrlhead) {
++ if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_OUT) {
++ kfree(usbhid->ctrl[usbhid->ctrltail].raw_report);
++ usbhid->ctrl[usbhid->ctrltail].raw_report = NULL;
++ }
++
++ usbhid->ctrltail = (usbhid->ctrltail + 1) &
++ (HID_CONTROL_FIFO_SIZE - 1);
++ }
+ spin_unlock_irq(&usbhid->lock);
++
+ usb_kill_urb(usbhid->urbin);
+ usb_kill_urb(usbhid->urbout);
+ usb_kill_urb(usbhid->urbctrl);
--- /dev/null
+From ab609f25d19858513919369ff3d9a63c02cd9e2e Mon Sep 17 00:00:00 2001
+From: Yanfei Xu <yanfei.xu@windriver.com>
+Date: Sun, 26 Sep 2021 12:53:13 +0800
+Subject: net: mdiobus: Fix memory leak in __mdiobus_register
+
+From: Yanfei Xu <yanfei.xu@windriver.com>
+
+commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream.
+
+Once device_register() failed, we should call put_device() to
+decrement reference count for cleanup. Or it will cause memory
+leak.
+
+BUG: memory leak
+unreferenced object 0xffff888114032e00 (size 256):
+ comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff ................
+ 08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff .........ve.....
+ backtrace:
+ [<ffffffff8265cfab>] kmalloc include/linux/slab.h:591 [inline]
+ [<ffffffff8265cfab>] kzalloc include/linux/slab.h:721 [inline]
+ [<ffffffff8265cfab>] device_private_init drivers/base/core.c:3203 [inline]
+ [<ffffffff8265cfab>] device_add+0x89b/0xdf0 drivers/base/core.c:3253
+ [<ffffffff828dd643>] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537
+ [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
+ [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
+ [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
+ [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
+ [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+ [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
+ [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
+ [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
+ [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
+ [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
+ [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
+ [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+ [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
+ [<ffffffff82660916>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
+ [<ffffffff8265cd0b>] device_add+0x5fb/0xdf0 drivers/base/core.c:3359
+ [<ffffffff82c343b9>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170
+ [<ffffffff82c4473c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
+
+BUG: memory leak
+unreferenced object 0xffff888116f06900 (size 32):
+ comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s)
+ hex dump (first 32 bytes):
+ 75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00 usb-001:003.....
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81484516>] kstrdup+0x36/0x70 mm/util.c:60
+ [<ffffffff814845a3>] kstrdup_const+0x53/0x80 mm/util.c:83
+ [<ffffffff82296ba2>] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
+ [<ffffffff82358d4b>] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
+ [<ffffffff826575f3>] dev_set_name+0x63/0x90 drivers/base/core.c:3147
+ [<ffffffff828dd63b>] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535
+ [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
+ [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
+ [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
+ [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
+ [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+ [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
+ [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
+ [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
+ [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
+ [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
+ [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
+ [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+ [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
+
+Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
+Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -381,6 +381,7 @@ int __mdiobus_register(struct mii_bus *b
+ err = device_register(&bus->dev);
+ if (err) {
+ pr_err("mii_bus %s failed to register\n", bus->id);
++ put_device(&bus->dev);
+ return -EINVAL;
+ }
+
--- /dev/null
+From 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+Date: Mon, 6 Sep 2021 18:26:34 +0200
+Subject: netfilter: ipset: Fix oversized kvmalloc() calls
+
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+
+commit 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 upstream.
+
+The commit
+
+commit 7661809d493b426e979f39ab512e3adf41fbcc69
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed Jul 14 09:45:49 2021 -0700
+
+ mm: don't allow oversized kvmalloc() calls
+
+limits the max allocatable memory via kvmalloc() to MAX_INT. Apply the
+same limit in ipset.
+
+Reported-by: syzbot+3493b1873fb3ea827986@syzkaller.appspotmail.com
+Reported-by: syzbot+2b8443c35458a617c904@syzkaller.appspotmail.com
+Reported-by: syzbot+ee5cb15f4a0e85e0d54e@syzkaller.appspotmail.com
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -104,11 +104,11 @@ htable_size(u8 hbits)
+ {
+ size_t hsize;
+
+- /* We must fit both into u32 in jhash and size_t */
++ /* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */
+ if (hbits > 31)
+ return 0;
+ hsize = jhash_size(hbits);
+- if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *)
++ if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *)
+ < hsize)
+ return 0;
+
usb-hso-fix-error-handling-code-of-hso_create_net_device.patch
usb-hso-remove-the-bailout-parameter.patch
crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch
+hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch
+netfilter-ipset-fix-oversized-kvmalloc-calls.patch
+hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
+net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
