From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 30 May 2021 12:32:30 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.4.271~76
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d2686156cff3f93094b53ab623ea0bfc550f2630;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	net-usb-fix-memory-leak-in-smsc75xx_bind.patch
	spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch
---

diff --git a/queue-5.4/net-usb-fix-memory-leak-in-smsc75xx_bind.patch b/queue-5.4/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
new file mode 100644
index 00000000000..b5ba8c6a742
--- /dev/null
+++ b/queue-5.4/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
@@ -0,0 +1,60 @@
+From 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Mon, 24 May 2021 23:02:08 +0300
+Subject: net: usb: fix memory leak in smsc75xx_bind
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 upstream.
+
+Syzbot reported memory leak in smsc75xx_bind().
+The problem was is non-freed memory in case of
+errors after memory allocation.
+
+backtrace:
+  [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]
+  [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]
+  [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460
+  [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728
+
+Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
+Cc: stable@kernel.vger.org
+Reported-and-tested-by: syzbot+b558506ba8165425fee2@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/smsc75xx.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1482,7 +1482,7 @@ static int smsc75xx_bind(struct usbnet *
+ 	ret = smsc75xx_wait_ready(dev, 0);
+ 	if (ret < 0) {
+ 		netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
+-		return ret;
++		goto err;
+ 	}
+ 
+ 	smsc75xx_init_mac_address(dev);
+@@ -1491,7 +1491,7 @@ static int smsc75xx_bind(struct usbnet *
+ 	ret = smsc75xx_reset(dev);
+ 	if (ret < 0) {
+ 		netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
+-		return ret;
++		goto err;
+ 	}
+ 
+ 	dev->net->netdev_ops = &smsc75xx_netdev_ops;
+@@ -1501,6 +1501,10 @@ static int smsc75xx_bind(struct usbnet *
+ 	dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len;
+ 	dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE;
+ 	return 0;
++
++err:
++	kfree(pdata);
++	return ret;
+ }
+ 
+ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)
diff --git a/queue-5.4/series b/queue-5.4/series
index 846990a5aac..81940e29e44 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -60,3 +60,5 @@ usb-serial-pl2303-add-device-id-for-adlink-nd-6530-gc.patch
 thermal-drivers-intel-initialize-rw-trip-to-thermal_temp_invalid.patch
 usb-dwc3-gadget-properly-track-pending-and-queued-sg.patch
 usb-gadget-udc-renesas_usb3-fix-a-race-in-usb3_start_pipen.patch
+net-usb-fix-memory-leak-in-smsc75xx_bind.patch
+spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch
diff --git a/queue-5.4/spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch b/queue-5.4/spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch
new file mode 100644
index 00000000000..51b022f021f
--- /dev/null
+++ b/queue-5.4/spi-spi-geni-qcom-fix-use-after-free-on-unbind.patch
@@ -0,0 +1,56 @@
+From 8f96c434dfbc85ffa755d6634c8c1cb2233fcf24 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 7 Dec 2020 09:17:02 +0100
+Subject: spi: spi-geni-qcom: Fix use-after-free on unbind
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 8f96c434dfbc85ffa755d6634c8c1cb2233fcf24 upstream.
+
+spi_geni_remove() accesses the driver's private data after calling
+spi_unregister_master() even though that function releases the last
+reference on the spi_master and thereby frees the private data.
+
+Moreover, since commit 1a9e489e6128 ("spi: spi-geni-qcom: Use OPP API to
+set clk/perf state"), spi_geni_probe() leaks the spi_master allocation
+if the calls to dev_pm_opp_set_clkname() or dev_pm_opp_of_add_table()
+fail.
+
+Fix by switching over to the new devm_spi_alloc_master() helper which
+keeps the private data accessible until the driver has unbound and also
+avoids the spi_master leak on probe.
+
+Fixes: 561de45f72bd ("spi: spi-geni-qcom: Add SPI driver support for GENI based QUP")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.20+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v4.20+
+Cc: Rajendra Nayak <rnayak@codeaurora.org>
+Cc: Girish Mahadevan <girishm@codeaurora.org>
+Link: https://lore.kernel.org/r/dfa1d8c41b8acdfad87ec8654cd124e6e3cb3f31.1607286887.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[lukas: backport to v5.4.123]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-geni-qcom.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-geni-qcom.c
++++ b/drivers/spi/spi-geni-qcom.c
+@@ -552,7 +552,7 @@ static int spi_geni_probe(struct platfor
+ 		return PTR_ERR(clk);
+ 	}
+ 
+-	spi = spi_alloc_master(&pdev->dev, sizeof(*mas));
++	spi = devm_spi_alloc_master(&pdev->dev, sizeof(*mas));
+ 	if (!spi)
+ 		return -ENOMEM;
+ 
+@@ -599,7 +599,6 @@ spi_geni_probe_free_irq:
+ 	free_irq(mas->irq, spi);
+ spi_geni_probe_runtime_disable:
+ 	pm_runtime_disable(&pdev->dev);
+-	spi_master_put(spi);
+ 	return ret;
+ }
+