From: Greg Kroah-Hartman Date: Mon, 12 Apr 2021 07:47:43 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.19.187~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d55ecc125960f6b63fb0c5a51f3b499c47ac1191;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drivers-net-fix-memory-leak-in-atusb_probe.patch drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch net-ieee802154-fix-nl802154-add-llsec-key.patch net-ieee802154-fix-nl802154-del-llsec-dev.patch net-ieee802154-fix-nl802154-del-llsec-devkey.patch net-ieee802154-fix-nl802154-del-llsec-key.patch net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch net-ieee802154-forbid-monitor-for-set-llsec-params.patch net-ieee802154-nl-mac-fix-check-on-panid.patch net-ieee802154-stop-dump-llsec-params-for-monitors.patch net-mac802154-fix-general-protection-fault.patch --- diff --git a/queue-4.19/drivers-net-fix-memory-leak-in-atusb_probe.patch b/queue-4.19/drivers-net-fix-memory-leak-in-atusb_probe.patch new file mode 100644 index 00000000000..140a1108197 --- /dev/null +++ b/queue-4.19/drivers-net-fix-memory-leak-in-atusb_probe.patch @@ -0,0 +1,38 @@ +From 6b9fbe16955152626557ec6f439f3407b7769941 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 1 Apr 2021 07:46:24 +0300 +Subject: drivers: net: fix memory leak in atusb_probe + +From: Pavel Skripkin + +commit 6b9fbe16955152626557ec6f439f3407b7769941 upstream. + +syzbot reported memory leak in atusb_probe()[1]. +The problem was in atusb_alloc_urbs(). +Since urb is anchored, we need to release the reference +to correctly free the urb + +backtrace: + [] kmalloc include/linux/slab.h:559 [inline] + [] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74 + [] atusb_alloc_urbs drivers/net/ieee802154/atusb.c:362 [inline][2] + [] atusb_probe+0x158/0x820 drivers/net/ieee802154/atusb.c:1038 [1] + +Reported-by: syzbot+28a246747e0a465127f3@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/atusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ieee802154/atusb.c ++++ b/drivers/net/ieee802154/atusb.c +@@ -368,6 +368,7 @@ static int atusb_alloc_urbs(struct atusb + return -ENOMEM; + } + usb_anchor_urb(urb, &atusb->idle_urbs); ++ usb_free_urb(urb); + n--; + } + return 0; diff --git a/queue-4.19/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch b/queue-4.19/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch new file mode 100644 index 00000000000..f29702619fa --- /dev/null +++ b/queue-4.19/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch @@ -0,0 +1,52 @@ +From a0b96b4a62745397aee662670cfc2157bac03f55 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 1 Apr 2021 16:27:52 +0300 +Subject: drivers: net: fix memory leak in peak_usb_create_dev + +From: Pavel Skripkin + +commit a0b96b4a62745397aee662670cfc2157bac03f55 upstream. + +syzbot reported memory leak in peak_usb. +The problem was in case of failure after calling +->dev_init()[2] in peak_usb_create_dev()[1]. The data +allocated int dev_init() wasn't freed, so simple +->dev_free() call fix this problem. + +backtrace: + [<0000000079d6542a>] kmalloc include/linux/slab.h:552 [inline] + [<0000000079d6542a>] kzalloc include/linux/slab.h:682 [inline] + [<0000000079d6542a>] pcan_usb_fd_init+0x156/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:868 [2] + [<00000000c09f9057>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:851 [inline] [1] + [<00000000c09f9057>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:949 + +Reported-by: syzbot+91adee8d9ebb9193d22d@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -864,7 +864,7 @@ static int peak_usb_create_dev(const str + if (dev->adapter->dev_set_bus) { + err = dev->adapter->dev_set_bus(dev, 0); + if (err) +- goto lbl_unregister_candev; ++ goto adap_dev_free; + } + + /* get device number early */ +@@ -876,6 +876,10 @@ static int peak_usb_create_dev(const str + + return 0; + ++adap_dev_free: ++ if (dev->adapter->dev_free) ++ dev->adapter->dev_free(dev); ++ + lbl_unregister_candev: + unregister_candev(netdev); + diff --git a/queue-4.19/net-ieee802154-fix-nl802154-add-llsec-key.patch b/queue-4.19/net-ieee802154-fix-nl802154-add-llsec-key.patch new file mode 100644 index 00000000000..dd0d31331e8 --- /dev/null +++ b/queue-4.19/net-ieee802154-fix-nl802154-add-llsec-key.patch @@ -0,0 +1,33 @@ +From 20d5fe2d7103f5c43ad11a3d6d259e9d61165c35 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sun, 21 Feb 2021 12:43:20 -0500 +Subject: net: ieee802154: fix nl802154 add llsec key + +From: Alexander Aring + +commit 20d5fe2d7103f5c43ad11a3d6d259e9d61165c35 upstream. + +This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is +not set by the user. If this is the case nl802154 will return -EINVAL. + +Reported-by: syzbot+ce4e062c2d51977ddc50@syzkaller.appspotmail.com +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20210221174321.14210-3-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1562,7 +1562,8 @@ static int nl802154_add_llsec_key(struct + struct ieee802154_llsec_key_id id = { }; + u32 commands[NL802154_CMD_FRAME_NR_IDS / 32] = { }; + +- if (nla_parse_nested(attrs, NL802154_KEY_ATTR_MAX, ++ if (!info->attrs[NL802154_ATTR_SEC_KEY] || ++ nla_parse_nested(attrs, NL802154_KEY_ATTR_MAX, + info->attrs[NL802154_ATTR_SEC_KEY], + nl802154_key_policy, info->extack)) + return -EINVAL; diff --git a/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-dev.patch b/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-dev.patch new file mode 100644 index 00000000000..5814b3cfe36 --- /dev/null +++ b/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-dev.patch @@ -0,0 +1,33 @@ +From 3d1eac2f45585690d942cf47fd7fbd04093ebd1b Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sun, 21 Feb 2021 12:43:19 -0500 +Subject: net: ieee802154: fix nl802154 del llsec dev + +From: Alexander Aring + +commit 3d1eac2f45585690d942cf47fd7fbd04093ebd1b upstream. + +This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_DEVICE is +not set by the user. If this is the case nl802154 will return -EINVAL. + +Reported-by: syzbot+d946223c2e751d136c94@syzkaller.appspotmail.com +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20210221174321.14210-2-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1781,7 +1781,8 @@ static int nl802154_del_llsec_dev(struct + struct nlattr *attrs[NL802154_DEV_ATTR_MAX + 1]; + __le64 extended_addr; + +- if (nla_parse_nested(attrs, NL802154_DEV_ATTR_MAX, ++ if (!info->attrs[NL802154_ATTR_SEC_DEVICE] || ++ nla_parse_nested(attrs, NL802154_DEV_ATTR_MAX, + info->attrs[NL802154_ATTR_SEC_DEVICE], + nl802154_dev_policy, info->extack)) + return -EINVAL; diff --git a/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-devkey.patch b/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-devkey.patch new file mode 100644 index 00000000000..d826c3d6d57 --- /dev/null +++ b/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-devkey.patch @@ -0,0 +1,33 @@ +From 27c746869e1a135dffc2f2a80715bb7aa00445b4 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sun, 21 Feb 2021 12:43:21 -0500 +Subject: net: ieee802154: fix nl802154 del llsec devkey + +From: Alexander Aring + +commit 27c746869e1a135dffc2f2a80715bb7aa00445b4 upstream. + +This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_DEVKEY is +not set by the user. If this is the case nl802154 will return -EINVAL. + +Reported-by: syzbot+368672e0da240db53b5f@syzkaller.appspotmail.com +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20210221174321.14210-4-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1943,7 +1943,8 @@ static int nl802154_del_llsec_devkey(str + struct ieee802154_llsec_device_key key; + __le64 extended_addr; + +- if (nla_parse_nested(attrs, NL802154_DEVKEY_ATTR_MAX, ++ if (!info->attrs[NL802154_ATTR_SEC_DEVKEY] || ++ nla_parse_nested(attrs, NL802154_DEVKEY_ATTR_MAX, + info->attrs[NL802154_ATTR_SEC_DEVKEY], + nl802154_devkey_policy, info->extack)) + return -EINVAL; diff --git a/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-key.patch b/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-key.patch new file mode 100644 index 00000000000..8794a94b75c --- /dev/null +++ b/queue-4.19/net-ieee802154-fix-nl802154-del-llsec-key.patch @@ -0,0 +1,33 @@ +From 37feaaf5ceb2245e474369312bb7b922ce7bce69 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sun, 21 Feb 2021 12:43:18 -0500 +Subject: net: ieee802154: fix nl802154 del llsec key + +From: Alexander Aring + +commit 37feaaf5ceb2245e474369312bb7b922ce7bce69 upstream. + +This patch fixes a nullpointer dereference if NL802154_ATTR_SEC_KEY is +not set by the user. If this is the case nl802154 will return -EINVAL. + +Reported-by: syzbot+ac5c11d2959a8b3c4806@syzkaller.appspotmail.com +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20210221174321.14210-1-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1612,7 +1612,8 @@ static int nl802154_del_llsec_key(struct + struct nlattr *attrs[NL802154_KEY_ATTR_MAX + 1]; + struct ieee802154_llsec_key_id id; + +- if (nla_parse_nested(attrs, NL802154_KEY_ATTR_MAX, ++ if (!info->attrs[NL802154_ATTR_SEC_KEY] || ++ nla_parse_nested(attrs, NL802154_KEY_ATTR_MAX, + info->attrs[NL802154_ATTR_SEC_KEY], + nl802154_key_policy, info->extack)) + return -EINVAL; diff --git a/queue-4.19/net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch b/queue-4.19/net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch new file mode 100644 index 00000000000..3e6202232dd --- /dev/null +++ b/queue-4.19/net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch @@ -0,0 +1,34 @@ +From 9dde130937e95b72adfae64ab21d6e7e707e2dac Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sun, 4 Apr 2021 20:30:53 -0400 +Subject: net: ieee802154: forbid monitor for del llsec seclevel + +From: Alexander Aring + +commit 9dde130937e95b72adfae64ab21d6e7e707e2dac upstream. + +This patch forbids to del llsec seclevel for monitor interfaces which we +don't support yet. Otherwise we will access llsec mib which isn't +initialized for monitors. + +Reported-by: syzbot+fbf4fc11a819824e027b@syzkaller.appspotmail.com +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20210405003054.256017-15-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -2122,6 +2122,9 @@ static int nl802154_del_llsec_seclevel(s + struct wpan_dev *wpan_dev = dev->ieee802154_ptr; + struct ieee802154_llsec_seclevel sl; + ++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR) ++ return -EOPNOTSUPP; ++ + if (!info->attrs[NL802154_ATTR_SEC_LEVEL] || + llsec_parse_seclevel(info->attrs[NL802154_ATTR_SEC_LEVEL], + &sl) < 0) diff --git a/queue-4.19/net-ieee802154-forbid-monitor-for-set-llsec-params.patch b/queue-4.19/net-ieee802154-forbid-monitor-for-set-llsec-params.patch new file mode 100644 index 00000000000..2f90d950ad3 --- /dev/null +++ b/queue-4.19/net-ieee802154-forbid-monitor-for-set-llsec-params.patch @@ -0,0 +1,33 @@ +From 88c17855ac4291fb462e13a86b7516773b6c932e Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sun, 4 Apr 2021 20:30:41 -0400 +Subject: net: ieee802154: forbid monitor for set llsec params + +From: Alexander Aring + +commit 88c17855ac4291fb462e13a86b7516773b6c932e upstream. + +This patch forbids to set llsec params for monitor interfaces which we +don't support yet. + +Reported-by: syzbot+8b6719da8a04beeafcc3@syzkaller.appspotmail.com +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20210405003054.256017-3-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1402,6 +1402,9 @@ static int nl802154_set_llsec_params(str + u32 changed = 0; + int ret; + ++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR) ++ return -EOPNOTSUPP; ++ + if (info->attrs[NL802154_ATTR_SEC_ENABLED]) { + u8 enabled; + diff --git a/queue-4.19/net-ieee802154-nl-mac-fix-check-on-panid.patch b/queue-4.19/net-ieee802154-nl-mac-fix-check-on-panid.patch new file mode 100644 index 00000000000..95ff06cd51a --- /dev/null +++ b/queue-4.19/net-ieee802154-nl-mac-fix-check-on-panid.patch @@ -0,0 +1,44 @@ +From 6f7f657f24405f426212c09260bf7fe8a52cef33 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sun, 28 Feb 2021 10:18:03 -0500 +Subject: net: ieee802154: nl-mac: fix check on panid + +From: Alexander Aring + +commit 6f7f657f24405f426212c09260bf7fe8a52cef33 upstream. + +This patch fixes a null pointer derefence for panid handle by move the +check for the netlink variable directly before accessing them. + +Reported-by: syzbot+d4c07de0144f6f63be3a@syzkaller.appspotmail.com +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20210228151817.95700-4-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl-mac.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ieee802154/nl-mac.c ++++ b/net/ieee802154/nl-mac.c +@@ -559,9 +559,7 @@ ieee802154_llsec_parse_key_id(struct gen + desc->mode = nla_get_u8(info->attrs[IEEE802154_ATTR_LLSEC_KEY_MODE]); + + if (desc->mode == IEEE802154_SCF_KEY_IMPLICIT) { +- if (!info->attrs[IEEE802154_ATTR_PAN_ID] && +- !(info->attrs[IEEE802154_ATTR_SHORT_ADDR] || +- info->attrs[IEEE802154_ATTR_HW_ADDR])) ++ if (!info->attrs[IEEE802154_ATTR_PAN_ID]) + return -EINVAL; + + desc->device_addr.pan_id = nla_get_shortaddr(info->attrs[IEEE802154_ATTR_PAN_ID]); +@@ -570,6 +568,9 @@ ieee802154_llsec_parse_key_id(struct gen + desc->device_addr.mode = IEEE802154_ADDR_SHORT; + desc->device_addr.short_addr = nla_get_shortaddr(info->attrs[IEEE802154_ATTR_SHORT_ADDR]); + } else { ++ if (!info->attrs[IEEE802154_ATTR_HW_ADDR]) ++ return -EINVAL; ++ + desc->device_addr.mode = IEEE802154_ADDR_LONG; + desc->device_addr.extended_addr = nla_get_hwaddr(info->attrs[IEEE802154_ATTR_HW_ADDR]); + } diff --git a/queue-4.19/net-ieee802154-stop-dump-llsec-params-for-monitors.patch b/queue-4.19/net-ieee802154-stop-dump-llsec-params-for-monitors.patch new file mode 100644 index 00000000000..6e7badedd85 --- /dev/null +++ b/queue-4.19/net-ieee802154-stop-dump-llsec-params-for-monitors.patch @@ -0,0 +1,38 @@ +From 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sun, 4 Apr 2021 20:30:54 -0400 +Subject: net: ieee802154: stop dump llsec params for monitors + +From: Alexander Aring + +commit 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 upstream. + +This patch stops dumping llsec params for monitors which we don't support +yet. Otherwise we will access llsec mib which isn't initialized for +monitors. + +Reported-by: syzbot+cde43a581a8e5f317bc2@syzkaller.appspotmail.com +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20210405003054.256017-16-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -836,8 +836,13 @@ nl802154_send_iface(struct sk_buff *msg, + goto nla_put_failure; + + #ifdef CONFIG_IEEE802154_NL802154_EXPERIMENTAL ++ if (wpan_dev->iftype == NL802154_IFTYPE_MONITOR) ++ goto out; ++ + if (nl802154_get_llsec_params(msg, rdev, wpan_dev) < 0) + goto nla_put_failure; ++ ++out: + #endif /* CONFIG_IEEE802154_NL802154_EXPERIMENTAL */ + + genlmsg_end(msg, hdr); diff --git a/queue-4.19/net-mac802154-fix-general-protection-fault.patch b/queue-4.19/net-mac802154-fix-general-protection-fault.patch new file mode 100644 index 00000000000..9be62948dd5 --- /dev/null +++ b/queue-4.19/net-mac802154-fix-general-protection-fault.patch @@ -0,0 +1,58 @@ +From 1165affd484889d4986cf3b724318935a0b120d8 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 4 Mar 2021 18:21:25 +0300 +Subject: net: mac802154: Fix general protection fault + +From: Pavel Skripkin + +commit 1165affd484889d4986cf3b724318935a0b120d8 upstream. + +syzbot found general protection fault in crypto_destroy_tfm()[1]. +It was caused by wrong clean up loop in llsec_key_alloc(). +If one of the tfm array members is in IS_ERR() range it will +cause general protection fault in clean up function [1]. + +Call Trace: + crypto_free_aead include/crypto/aead.h:191 [inline] [1] + llsec_key_alloc net/mac802154/llsec.c:156 [inline] + mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249 + ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338 + rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline] + nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584 + genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 + genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Signed-off-by: Pavel Skripkin +Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210304152125.1052825-1-paskripkin@gmail.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/mac802154/llsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac802154/llsec.c ++++ b/net/mac802154/llsec.c +@@ -160,7 +160,7 @@ err_tfm0: + crypto_free_skcipher(key->tfm0); + err_tfm: + for (i = 0; i < ARRAY_SIZE(key->tfm); i++) +- if (key->tfm[i]) ++ if (!IS_ERR_OR_NULL(key->tfm[i])) + crypto_free_aead(key->tfm[i]); + + kzfree(key); diff --git a/queue-4.19/series b/queue-4.19/series index 83843e6789f..1897aa5c396 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -52,3 +52,14 @@ clk-socfpga-fix-iomem-pointer-cast-on-64-bit.patch net-sched-bump-refcount-for-new-action-in-act-replace-mode.patch cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch +drivers-net-fix-memory-leak-in-atusb_probe.patch +drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch +net-mac802154-fix-general-protection-fault.patch +net-ieee802154-nl-mac-fix-check-on-panid.patch +net-ieee802154-fix-nl802154-del-llsec-key.patch +net-ieee802154-fix-nl802154-del-llsec-dev.patch +net-ieee802154-fix-nl802154-add-llsec-key.patch +net-ieee802154-fix-nl802154-del-llsec-devkey.patch +net-ieee802154-forbid-monitor-for-set-llsec-params.patch +net-ieee802154-forbid-monitor-for-del-llsec-seclevel.patch +net-ieee802154-stop-dump-llsec-params-for-monitors.patch