From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Mar 2020 15:45:49 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.19.108~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=56ecf1cef205d2b8ea42a57dc96685416f020d61;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	slip-stop-double-free-sl-dev-in-slip_open.patch
---

diff --git a/queue-4.9/series b/queue-4.9/series
index f4e7cc93943..d4d3d579130 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -42,3 +42,4 @@ net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch
 net-ena-make-ena-rxfh-support-eth_rss_hash_no_change.patch
 namei-only-return-echild-from-follow_dotdot_rcu.patch
 kvm-check-for-a-bad-hva-before-dropping-into-the-ghc-slow-path.patch
+slip-stop-double-free-sl-dev-in-slip_open.patch
diff --git a/queue-4.9/slip-stop-double-free-sl-dev-in-slip_open.patch b/queue-4.9/slip-stop-double-free-sl-dev-in-slip_open.patch
new file mode 100644
index 00000000000..91b04f619d5
--- /dev/null
+++ b/queue-4.9/slip-stop-double-free-sl-dev-in-slip_open.patch
@@ -0,0 +1,34 @@
+From yangerkun@huawei.com  Tue Mar  3 16:44:49 2020
+From: yangerkun <yangerkun@huawei.com>
+Date: Fri, 28 Feb 2020 21:40:48 +0800
+Subject: slip: stop double free sl->dev in slip_open
+To: <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>, <davem@davemloft.net>, <netdev@vger.kernel.org>, <yangerkun@huawei.com>
+Message-ID: <20200228134048.19675-1-yangerkun@huawei.com>
+
+From: yangerkun <yangerkun@huawei.com>
+
+After include 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
+and e58c19124189 ("slip: Fix use-after-free Read in slip_open") with 4.4.y/4.9.y.
+We will trigger a bug since we can double free sl->dev in slip_open. Actually,
+we should backport cf124db566e6 ("net: Fix inconsistent teardown and release
+of private netdev state.") too since it has delete free_netdev from sl_free_netdev.
+Fix it by delete free_netdev from slip_open.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/slip/slip.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -868,7 +868,6 @@ err_free_chan:
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
+ 	sl_free_netdev(sl->dev);
+-	free_netdev(sl->dev);
+ 
+ err_exit:
+ 	rtnl_unlock();