From: Sasha Levin Date: Sun, 20 Jun 2021 03:15:26 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v5.4.128~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad69df2e8ad0ed405e44d5fd0f23ae046e23c08c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/be2net-fix-an-error-handling-path-in-be_probe.patch b/queue-4.4/be2net-fix-an-error-handling-path-in-be_probe.patch new file mode 100644 index 00000000000..bb1beedaca0 --- /dev/null +++ b/queue-4.4/be2net-fix-an-error-handling-path-in-be_probe.patch @@ -0,0 +1,37 @@ +From 2bab3782109f2e2418a47c2a68ccc36b1683ca7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 20:43:37 +0200 +Subject: be2net: Fix an error handling path in 'be_probe()' + +From: Christophe JAILLET + +[ Upstream commit c19c8c0e666f9259e2fc4d2fa4b9ff8e3b40ee5d ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: d6b6d9877878 ("be2net: use PCIe AER capability") +Signed-off-by: Christophe JAILLET +Acked-by: Somnath Kotur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 7cd39324106d..398b9bd09400 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -5878,6 +5878,7 @@ drv_cleanup: + unmap_bars: + be_unmap_pci_bars(adapter); + free_netdev: ++ pci_disable_pcie_error_reporting(pdev); + free_netdev(netdev); + rel_reg: + pci_release_regions(pdev); +-- +2.30.2 + diff --git a/queue-4.4/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch b/queue-4.4/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch new file mode 100644 index 00000000000..05eee00cec3 --- /dev/null +++ b/queue-4.4/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch @@ -0,0 +1,96 @@ +From 5348b2f757c5e3073bb253b98d38b80b1152be63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:47:15 -0700 +Subject: net/af_unix: fix a data-race in unix_dgram_sendmsg / + unix_release_sock + +From: Eric Dumazet + +[ Upstream commit a494bd642d9120648b06bb7d28ce6d05f55a7819 ] + +While unix_may_send(sk, osk) is called while osk is locked, it appears +unix_release_sock() can overwrite unix_peer() after this lock has been +released, making KCSAN unhappy. + +Changing unix_release_sock() to access/change unix_peer() +before lock is released should fix this issue. + +BUG: KCSAN: data-race in unix_dgram_sendmsg / unix_release_sock + +write to 0xffff88810465a338 of 8 bytes by task 20852 on cpu 1: + unix_release_sock+0x4ed/0x6e0 net/unix/af_unix.c:558 + unix_release+0x2f/0x50 net/unix/af_unix.c:859 + __sock_release net/socket.c:599 [inline] + sock_close+0x6c/0x150 net/socket.c:1258 + __fput+0x25b/0x4e0 fs/file_table.c:280 + ____fput+0x11/0x20 fs/file_table.c:313 + task_work_run+0xae/0x130 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:175 [inline] + exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:209 + __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:302 + do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88810465a338 of 8 bytes by task 20888 on cpu 0: + unix_may_send net/unix/af_unix.c:189 [inline] + unix_dgram_sendmsg+0x923/0x1610 net/unix/af_unix.c:1712 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffff888167905400 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 20888 Comm: syz-executor.0 Not tainted 5.13.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index ac78c5ac8284..33948cc03ba6 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -534,12 +534,14 @@ static void unix_release_sock(struct sock *sk, int embrion) + u->path.mnt = NULL; + state = sk->sk_state; + sk->sk_state = TCP_CLOSE; ++ ++ skpair = unix_peer(sk); ++ unix_peer(sk) = NULL; ++ + unix_state_unlock(sk); + + wake_up_interruptible_all(&u->peer_wait); + +- skpair = unix_peer(sk); +- + if (skpair != NULL) { + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { + unix_state_lock(skpair); +@@ -554,7 +556,6 @@ static void unix_release_sock(struct sock *sk, int embrion) + + unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ +- unix_peer(sk) = NULL; + } + + /* Try to flush out this socket. Throw out buffers at least */ +-- +2.30.2 + diff --git a/queue-4.4/net-cdc_eem-fix-tx-fixup-skb-leak.patch b/queue-4.4/net-cdc_eem-fix-tx-fixup-skb-leak.patch new file mode 100644 index 00000000000..da09c00b56f --- /dev/null +++ b/queue-4.4/net-cdc_eem-fix-tx-fixup-skb-leak.patch @@ -0,0 +1,44 @@ +From e686a66f668a993eadbe748cbbdf1fc39a12b36a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 07:32:32 +0800 +Subject: net: cdc_eem: fix tx fixup skb leak + +From: Linyu Yuan + +[ Upstream commit c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7 ] + +when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), +if skb_copy_expand() failed, it return NULL, +usbnet_start_xmit() will have no chance to free original skb. + +fix it by free orginal skb in eem_tx_fixup() first, +then check skb clone status, if failed, return NULL to usbnet. + +Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)") +Signed-off-by: Linyu Yuan +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_eem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c +index f7180f8db39e..9c15e1a1261b 100644 +--- a/drivers/net/usb/cdc_eem.c ++++ b/drivers/net/usb/cdc_eem.c +@@ -138,10 +138,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + } + + skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); ++ dev_kfree_skb_any(skb); + if (!skb2) + return NULL; + +- dev_kfree_skb_any(skb); + skb = skb2; + + done: +-- +2.30.2 + diff --git a/queue-4.4/net-cdc_ncm-switch-to-eth-d-interface-naming.patch b/queue-4.4/net-cdc_ncm-switch-to-eth-d-interface-naming.patch new file mode 100644 index 00000000000..2a07b18ec22 --- /dev/null +++ b/queue-4.4/net-cdc_ncm-switch-to-eth-d-interface-naming.patch @@ -0,0 +1,77 @@ +From 3c1b363dc5030a0b17a39e2f7eceaae479fd69a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 01:05:49 -0700 +Subject: net: cdc_ncm: switch to eth%d interface naming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit c1a3d4067309451e68c33dbd356032549cc0bd8e ] + +This is meant to make the host side cdc_ncm interface consistently +named just like the older CDC protocols: cdc_ether & cdc_ecm +(and even rndis_host), which all use 'FLAG_ETHER | FLAG_POINTTOPOINT'. + +include/linux/usb/usbnet.h: + #define FLAG_ETHER 0x0020 /* maybe use "eth%d" names */ + #define FLAG_WLAN 0x0080 /* use "wlan%d" names */ + #define FLAG_WWAN 0x0400 /* use "wwan%d" names */ + #define FLAG_POINTTOPOINT 0x1000 /* possibly use "usb%d" names */ + +drivers/net/usb/usbnet.c @ line 1711: + strcpy (net->name, "usb%d"); + ... + // heuristic: "usb%d" for links we know are two-host, + // else "eth%d" when there's reasonable doubt. userspace + // can rename the link if it knows better. + if ((dev->driver_info->flags & FLAG_ETHER) != 0 && + ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 || + (net->dev_addr [0] & 0x02) == 0)) + strcpy (net->name, "eth%d"); + /* WLAN devices should always be named "wlan%d" */ + if ((dev->driver_info->flags & FLAG_WLAN) != 0) + strcpy(net->name, "wlan%d"); + /* WWAN devices should always be named "wwan%d" */ + if ((dev->driver_info->flags & FLAG_WWAN) != 0) + strcpy(net->name, "wwan%d"); + +So by using ETHER | POINTTOPOINT the interface naming is +either usb%d or eth%d based on the global uniqueness of the +mac address of the device. + +Without this 2.5gbps ethernet dongles which all seem to use the cdc_ncm +driver end up being called usb%d instead of eth%d even though they're +definitely not two-host. (All 1gbps & 5gbps ethernet usb dongles I've +tested don't hit this problem due to use of different drivers, primarily +r8152 and aqc111) + +Fixes tag is based purely on git blame, and is really just here to make +sure this hits LTS branches newer than v4.5. + +Cc: Lorenzo Colitti +Fixes: 4d06dd537f95 ("cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind") +Signed-off-by: Maciej Żenczykowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 8de7797ea7e7..8bef8c3dd2a3 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1580,7 +1580,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) + static const struct driver_info cdc_ncm_info = { + .description = "CDC NCM", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_LINK_INTR, ++ | FLAG_LINK_INTR | FLAG_ETHER, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .manage_power = usbnet_manage_power, +-- +2.30.2 + diff --git a/queue-4.4/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch b/queue-4.4/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch new file mode 100644 index 00000000000..fa4bc056aeb --- /dev/null +++ b/queue-4.4/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch @@ -0,0 +1,56 @@ +From f03cb388aa6680eec8fd919e6271f4a5e57524c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 16:49:02 +0300 +Subject: net: ethernet: fix potential use-after-free in ec_bhf_remove + +From: Pavel Skripkin + +[ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ] + +static void ec_bhf_remove(struct pci_dev *dev) +{ +... + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); + free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); +... +} + +priv is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing priv +pointer. So, fix it by moving free_netdev() after pci_iounmap() +calls. + +Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ec_bhf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c +index f7b42483921c..0ade0c6d81ee 100644 +--- a/drivers/net/ethernet/ec_bhf.c ++++ b/drivers/net/ethernet/ec_bhf.c +@@ -589,10 +589,12 @@ static void ec_bhf_remove(struct pci_dev *dev) + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); +- free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); ++ ++ free_netdev(net_dev); ++ + pci_release_regions(dev); + pci_clear_master(dev); + pci_disable_device(dev); +-- +2.30.2 + diff --git a/queue-4.4/net-hamradio-fix-memory-leak-in-mkiss_close.patch b/queue-4.4/net-hamradio-fix-memory-leak-in-mkiss_close.patch new file mode 100644 index 00000000000..ffed3d7ed05 --- /dev/null +++ b/queue-4.4/net-hamradio-fix-memory-leak-in-mkiss_close.patch @@ -0,0 +1,112 @@ +From 1f4a227e01efa1089c7ed2bde0c2689eb13b6605 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 22:09:06 +0300 +Subject: net: hamradio: fix memory leak in mkiss_close + +From: Pavel Skripkin + +[ Upstream commit 7edcc682301492380fbdd604b4516af5ae667a13 ] + +My local syzbot instance hit memory leak in +mkiss_open()[1]. The problem was in missing +free_netdev() in mkiss_close(). + +In mkiss_open() netdevice is allocated and then +registered, but in mkiss_close() netdevice was +only unregistered, but not freed. + +Fail log: + +BUG: memory leak +unreferenced object 0xffff8880281ba000 (size 4096): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. + 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x98/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880141a9a00 (size 96): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... + 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@.......... + backtrace: + [] __hw_addr_create_ex+0x5b/0x310 + [] __hw_addr_add_ex+0x1f8/0x2b0 + [] dev_addr_init+0x10b/0x1f0 + [] alloc_netdev_mqs+0x13b/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880219bfc00 (size 512): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............ + 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x777/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff888029b2b200 (size 256): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x912/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/mkiss.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c +index 470d416f2b86..078eb110381c 100644 +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -810,6 +810,7 @@ static void mkiss_close(struct tty_struct *tty) + ax->tty = NULL; + + unregister_netdev(ax->dev); ++ free_netdev(ax->dev); + } + + /* Perform I/O control on an active ax25 channel. */ +-- +2.30.2 + diff --git a/queue-4.4/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch b/queue-4.4/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch new file mode 100644 index 00000000000..5c39ad7302d --- /dev/null +++ b/queue-4.4/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch @@ -0,0 +1,66 @@ +From a3d760b05f7c7b9d008d08c02b551798dd2ded4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 09:51:58 +0800 +Subject: net: ipv4: fix memory leak in netlbl_cipsov4_add_std + +From: Nanyong Sun + +[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ] + +Reported by syzkaller: +BUG: memory leak +unreferenced object 0xffff888105df7000 (size 64): +comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s) +hex dump (first 32 bytes): +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: +[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline] +[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline] +[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline] +[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416 +[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739 +[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] +[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800 +[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504 +[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 +[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] +[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340 +[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929 +[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline] +[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674 +[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350 +[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404 +[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433 +[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47 +[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +The memory of doi_def->map.std pointing is allocated in +netlbl_cipsov4_add_std, but no place has freed it. It should be +freed in cipso_v4_doi_free which frees the cipso DOI resource. + +Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration") +Reported-by: Hulk Robot +Signed-off-by: Nanyong Sun +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/cipso_ipv4.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 0e83c5b08e0e..e798e27b3c7d 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -557,6 +557,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) + kfree(doi_def->map.std->lvl.local); + kfree(doi_def->map.std->cat.cipso); + kfree(doi_def->map.std->cat.local); ++ kfree(doi_def->map.std); + break; + } + kfree(doi_def); +-- +2.30.2 + diff --git a/queue-4.4/net-rds-fix-memory-leak-in-rds_recvmsg.patch b/queue-4.4/net-rds-fix-memory-leak-in-rds_recvmsg.patch new file mode 100644 index 00000000000..3955e339fef --- /dev/null +++ b/queue-4.4/net-rds-fix-memory-leak-in-rds_recvmsg.patch @@ -0,0 +1,73 @@ +From 9e5306859833b6423fd75ad112dd788664efe458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 11:06:41 +0300 +Subject: net: rds: fix memory leak in rds_recvmsg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Skripkin + +[ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ] + +Syzbot reported memory leak in rds. The problem +was in unputted refcount in case of error. + +int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + int msg_flags) +{ +... + + if (!rds_next_incoming(rs, &inc)) { + ... + } + +After this "if" inc refcount incremented and + + if (rds_cmsg_recv(inc, msg, rs)) { + ret = -EFAULT; + goto out; + } +... +out: + return ret; +} + +in case of rds_cmsg_recv() fail the refcount won't be +decremented. And it's easy to see from ftrace log, that +rds_inc_addref() don't have rds_inc_put() pair in +rds_recvmsg() after rds_cmsg_recv() + + 1) | rds_recvmsg() { + 1) 3.721 us | rds_inc_addref(); + 1) 3.853 us | rds_message_inc_copy_to_user(); + 1) + 10.395 us | rds_cmsg_recv(); + 1) + 34.260 us | } + +Fixes: bdbe6fbc6a2f ("RDS: recv.c") +Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Reviewed-by: Håkon Bugge +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/recv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/recv.c b/net/rds/recv.c +index 9bf812509e0e..1ff4bc3237f0 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -482,7 +482,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + + if (rds_cmsg_recv(inc, msg)) { + ret = -EFAULT; +- goto out; ++ break; + } + + rds_stats_inc(s_recv_delivered); +-- +2.30.2 + diff --git a/queue-4.4/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch b/queue-4.4/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch new file mode 100644 index 00000000000..2784da76855 --- /dev/null +++ b/queue-4.4/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch @@ -0,0 +1,42 @@ +From 3c5113d447bbc20386f004340b604dc0b42595b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 15:16:11 +0800 +Subject: net: stmmac: dwmac1000: Fix extended MAC address registers definition + +From: Jisheng Zhang + +[ Upstream commit 1adb20f0d496b2c61e9aa1f4761b8d71f93d258e ] + +The register starts from 0x800 is the 16th MAC address register rather +than the first one. + +Fixes: cffb13f4d6fb ("stmmac: extend mac addr reg and fix perfect filering") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +index b3fe0575ff6b..db2a341ae4b3 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +@@ -83,10 +83,10 @@ enum power_event { + #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */ + + /* GMAC HW ADDR regs */ +-#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \ +- (reg * 8)) +-#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \ +- (reg * 8)) ++#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \ ++ 0x00000040 + (reg * 8)) ++#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \ ++ 0x00000044 + (reg * 8)) + #define GMAC_MAX_PERFECT_ADDRESSES 1 + + /* PCS registers (AN/TBI/SGMII/RGMII) offset */ +-- +2.30.2 + diff --git a/queue-4.4/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch b/queue-4.4/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch new file mode 100644 index 00000000000..3640625ca3b --- /dev/null +++ b/queue-4.4/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch @@ -0,0 +1,72 @@ +From 9893e4f47bd6ed8188bcfb75360d000b783c6a5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 10:48:33 +0800 +Subject: net: usb: fix possible use-after-free in smsc75xx_bind + +From: Dongliang Mu + +[ Upstream commit 56b786d86694e079d8aad9b314e015cd4ac02a3d ] + +The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") +fails to clean up the work scheduled in smsc75xx_reset-> +smsc75xx_set_multicast, which leads to use-after-free if the work is +scheduled to start after the deallocation. In addition, this patch +also removes a dangling pointer - dev->data[0]. + +This patch calls cancel_work_sync to cancel the scheduled work and set +the dangling pointer to NULL. + +Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") +Signed-off-by: Dongliang Mu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 850bb147f4b0..9fe6a8d899b0 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -1485,7 +1485,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_wait_ready(dev, 0); + if (ret < 0) { + netdev_warn(dev->net, "device not ready in smsc75xx_bind\n"); +- goto err; ++ goto free_pdata; + } + + smsc75xx_init_mac_address(dev); +@@ -1494,7 +1494,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_reset(dev); + if (ret < 0) { + netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret); +- goto err; ++ goto cancel_work; + } + + dev->net->netdev_ops = &smsc75xx_netdev_ops; +@@ -1504,8 +1504,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len; + return 0; + +-err: ++cancel_work: ++ cancel_work_sync(&pdata->set_multicast); ++free_pdata: + kfree(pdata); ++ dev->data[0] = 0; + return ret; + } + +@@ -1516,7 +1519,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf) + cancel_work_sync(&pdata->set_multicast); + netif_dbg(dev, ifdown, dev->net, "free pdata\n"); + kfree(pdata); +- pdata = NULL; + dev->data[0] = 0; + } + } +-- +2.30.2 + diff --git a/queue-4.4/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch b/queue-4.4/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch new file mode 100644 index 00000000000..1e24ad30e22 --- /dev/null +++ b/queue-4.4/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch @@ -0,0 +1,59 @@ +From 19dc84f0c741facdde74e9383b062ae2b7a9ce50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 19:40:29 +0300 +Subject: netfilter: synproxy: Fix out of bounds when parsing TCP options + +From: Maxim Mikityanskiy + +[ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ] + +The TCP option parser in synproxy (synproxy_parse_options) could read +one byte out of bounds. When the length is 1, the execution flow gets +into the loop, reads one byte of the opcode, and if the opcode is +neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds +the length of 1. + +This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack +out of bounds when parsing TCP options."). + +v2 changes: + +Added an early return when length < 0 to avoid calling +skb_header_pointer with negative length. + +Cc: Young Xiao <92siuyang@gmail.com> +Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_synproxy_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c +index c8a4a48bced9..8be604eb6961 100644 +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -34,6 +34,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + int length = (th->doff * 4) - sizeof(*th); + u8 buf[40], *ptr; + ++ if (unlikely(length < 0)) ++ return false; ++ + ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf); + if (ptr == NULL) + return false; +@@ -50,6 +53,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + length--; + continue; + default: ++ if (length < 2) ++ return true; + opsize = *ptr++; + if (opsize < 2) + return true; +-- +2.30.2 + diff --git a/queue-4.4/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch b/queue-4.4/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch new file mode 100644 index 00000000000..1a8a508ba07 --- /dev/null +++ b/queue-4.4/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch @@ -0,0 +1,37 @@ +From 98f0c0594556c1355559fd3122b2afd122a127d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:53:12 +0200 +Subject: netxen_nic: Fix an error handling path in 'netxen_nic_probe()' + +From: Christophe JAILLET + +[ Upstream commit 49a10c7b176295f8fafb338911cf028e97f65f4d ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: e87ad5539343 ("netxen: support pci error handlers") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +index f5fc0c416e51..f89441f9bd8d 100644 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -1616,6 +1616,8 @@ err_out_free_netdev: + free_netdev(netdev); + + err_out_free_res: ++ if (NX_IS_REVISION_P3(pdev->revision)) ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.30.2 + diff --git a/queue-4.4/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch b/queue-4.4/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch new file mode 100644 index 00000000000..b8987392549 --- /dev/null +++ b/queue-4.4/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch @@ -0,0 +1,36 @@ +From e0898179cef957a6cc237aa623ab0675ebbd99a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:37:46 +0200 +Subject: qlcnic: Fix an error handling path in 'qlcnic_probe()' + +From: Christophe JAILLET + +[ Upstream commit cb3376604a676e0302258b01893911bdd7aa5278 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 451724c821c1 ("qlcnic: aer support") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index a4b10776f834..11274b7ea36c 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -2706,6 +2706,7 @@ err_out_free_hw_res: + kfree(ahw); + + err_out_free_res: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.30.2 + diff --git a/queue-4.4/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch b/queue-4.4/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch new file mode 100644 index 00000000000..9ad024319ad --- /dev/null +++ b/queue-4.4/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch @@ -0,0 +1,55 @@ +From ab338ffff4fe8986de9d9d7da8c775e023967697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 14:17:53 +0300 +Subject: rtnetlink: Fix regression in bridge VLAN configuration + +From: Ido Schimmel + +[ Upstream commit d2e381c4963663bca6f30c3b996fa4dbafe8fcb5 ] + +Cited commit started returning errors when notification info is not +filled by the bridge driver, resulting in the following regression: + + # ip link add name br1 type bridge vlan_filtering 1 + # bridge vlan add dev br1 vid 555 self pvid untagged + RTNETLINK answers: Invalid argument + +As long as the bridge driver does not fill notification info for the +bridge device itself, an empty notification should not be considered as +an error. This is explained in commit 59ccaaaa49b5 ("bridge: dont send +notification when skb->len == 0 in rtnl_bridge_notify"). + +Fix by removing the error and add a comment to avoid future bugs. + +Fixes: a8db57c1d285 ("rtnetlink: Fix missing error code in rtnl_bridge_notify()") +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 11d2da8abd73..7d6fe9ba9a24 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3240,10 +3240,12 @@ static int rtnl_bridge_notify(struct net_device *dev) + if (err < 0) + goto errout; + +- if (!skb->len) { +- err = -EINVAL; ++ /* Notification info is only filled for bridge ports, not the bridge ++ * device itself. Therefore, a zero notification length is valid and ++ * should not result in an error. ++ */ ++ if (!skb->len) + goto errout; +- } + + rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC); + return 0; +-- +2.30.2 + diff --git a/queue-4.4/series b/queue-4.4/series index 0dae9e86bf1..dbe96e3fd30 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -12,3 +12,17 @@ net-x25-return-the-correct-errno-code.patch net-return-the-correct-errno-code.patch fib-return-the-correct-errno-code.patch dmaengine-stedma40-add-missing-iounmap-on-error-in-d.patch +net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch +net-rds-fix-memory-leak-in-rds_recvmsg.patch +rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch +netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch +net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch +qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch +netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch +net-cdc_ncm-switch-to-eth-d-interface-naming.patch +net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch +net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch +be2net-fix-an-error-handling-path-in-be_probe.patch +net-hamradio-fix-memory-leak-in-mkiss_close.patch +net-cdc_eem-fix-tx-fixup-skb-leak.patch +net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch