From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Oct 2020 11:33:00 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.239~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1a05e1b512dec0ec9411cb1c3187f3429d44c156;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	net-team-fix-memory-leak-in-__team_options_register.patch
	team-set-dev-needed_headroom-in-team_setup_by_port.patch
---

diff --git a/queue-4.4/net-team-fix-memory-leak-in-__team_options_register.patch b/queue-4.4/net-team-fix-memory-leak-in-__team_options_register.patch
new file mode 100644
index 00000000000..d24d0fb9c5e
--- /dev/null
+++ b/queue-4.4/net-team-fix-memory-leak-in-__team_options_register.patch
@@ -0,0 +1,48 @@
+From 9a9e77495958c7382b2438bc19746dd3aaaabb8e Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Mon, 5 Oct 2020 02:25:36 +0530
+Subject: net: team: fix memory leak in __team_options_register
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 9a9e77495958c7382b2438bc19746dd3aaaabb8e upstream.
+
+The variable "i" isn't initialized back correctly after the first loop
+under the label inst_rollback gets executed.
+
+The value of "i" is assigned to be option_count - 1, and the ensuing
+loop (under alloc_rollback) begins by initializing i--.
+Thus, the value of i when the loop begins execution will now become
+i = option_count - 2.
+
+Thus, when kfree(dst_opts[i]) is called in the second loop in this
+order, (i.e., inst_rollback followed by alloc_rollback),
+dst_optsp[option_count - 2] is the first element freed, and
+dst_opts[option_count - 1] does not get freed, and thus, a memory
+leak is caused.
+
+This memory leak can be fixed, by assigning i = option_count (instead of
+option_count - 1).
+
+Fixes: 80f7c6683fe0 ("team: add support for per-port options")
+Reported-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
+Tested-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -285,7 +285,7 @@ inst_rollback:
+ 	for (i--; i >= 0; i--)
+ 		__team_option_inst_del_option(team, dst_opts[i]);
+ 
+-	i = option_count - 1;
++	i = option_count;
+ alloc_rollback:
+ 	for (i--; i >= 0; i--)
+ 		kfree(dst_opts[i]);
diff --git a/queue-4.4/series b/queue-4.4/series
index 88bd0700e65..a4b2940d538 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -25,3 +25,5 @@ platform-x86-thinkpad_acpi-re-initialize-acpi-buffer-size-when-reuse.patch
 driver-core-fix-probe_count-imbalance-in-really_probe.patch
 perf-top-fix-stdio-interface-input-handling-with-glibc-2.28.patch
 sctp-fix-sctp_auth_init_hmacs-error-path.patch
+team-set-dev-needed_headroom-in-team_setup_by_port.patch
+net-team-fix-memory-leak-in-__team_options_register.patch
diff --git a/queue-4.4/team-set-dev-needed_headroom-in-team_setup_by_port.patch b/queue-4.4/team-set-dev-needed_headroom-in-team_setup_by_port.patch
new file mode 100644
index 00000000000..d14648eaa21
--- /dev/null
+++ b/queue-4.4/team-set-dev-needed_headroom-in-team_setup_by_port.patch
@@ -0,0 +1,32 @@
+From 89d01748b2354e210b5d4ea47bc25a42a1b42c82 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 25 Sep 2020 06:38:08 -0700
+Subject: team: set dev->needed_headroom in team_setup_by_port()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 89d01748b2354e210b5d4ea47bc25a42a1b42c82 upstream.
+
+Some devices set needed_headroom. If we ignore it, we might
+end up crashing in various skb_push() for example in ipgre_header()
+since some layers assume enough headroom has been reserved.
+
+Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2038,6 +2038,7 @@ static void team_setup_by_port(struct ne
+ 	dev->header_ops	= port_dev->header_ops;
+ 	dev->type = port_dev->type;
+ 	dev->hard_header_len = port_dev->hard_header_len;
++	dev->needed_headroom = port_dev->needed_headroom;
+ 	dev->addr_len = port_dev->addr_len;
+ 	dev->mtu = port_dev->mtu;
+ 	memcpy(dev->broadcast, port_dev->broadcast, port_dev->addr_len);