From: Greg Kroah-Hartman Date: Mon, 4 Oct 2021 12:17:17 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.286~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8eae2dc14aa459140a138217026c87faf59a56a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch netfilter-ipset-fix-oversized-kvmalloc-calls.patch --- diff --git a/queue-4.19/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch b/queue-4.19/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch new file mode 100644 index 00000000000..7baa1202be6 --- /dev/null +++ b/queue-4.19/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch @@ -0,0 +1,52 @@ +From 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 Mon Sep 17 00:00:00 2001 +From: "F.A.Sulaiman" +Date: Tue, 24 Aug 2021 20:37:30 +0530 +Subject: HID: betop: fix slab-out-of-bounds Write in betop_probe + +From: F.A.Sulaiman + +commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream. + +Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. +The problem is the driver assumes the device must have an input report but +some malicious devices violate this assumption. + +So this patch checks hid_device's input is non empty before it's been used. + +Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com +Signed-off-by: F.A. SULAIMAN +Reviewed-by: Pavel Skripkin +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-betopff.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-betopff.c ++++ b/drivers/hid/hid-betopff.c +@@ -59,15 +59,22 @@ static int betopff_init(struct hid_devic + { + struct betopff_device *betopff; + struct hid_report *report; +- struct hid_input *hidinput = +- list_first_entry(&hid->inputs, struct hid_input, list); ++ struct hid_input *hidinput; + struct list_head *report_list = + &hid->report_enum[HID_OUTPUT_REPORT].report_list; +- struct input_dev *dev = hidinput->input; ++ struct input_dev *dev; + int field_count = 0; + int error; + int i, j; + ++ if (list_empty(&hid->inputs)) { ++ hid_err(hid, "no inputs found\n"); ++ return -ENODEV; ++ } ++ ++ hidinput = list_first_entry(&hid->inputs, struct hid_input, list); ++ dev = hidinput->input; ++ + if (list_empty(report_list)) { + hid_err(hid, "no output reports found\n"); + return -ENODEV; diff --git a/queue-4.19/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch b/queue-4.19/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch new file mode 100644 index 00000000000..df2b23aaf9e --- /dev/null +++ b/queue-4.19/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch @@ -0,0 +1,55 @@ +From f7744fa16b96da57187dc8e5634152d3b63d72de Mon Sep 17 00:00:00 2001 +From: Anirudh Rayabharam +Date: Thu, 24 Jun 2021 00:10:29 +0530 +Subject: HID: usbhid: free raw_report buffers in usbhid_stop + +From: Anirudh Rayabharam + +commit f7744fa16b96da57187dc8e5634152d3b63d72de upstream. + +Free the unsent raw_report buffers when the device is removed. + +Fixes a memory leak reported by syzbot at: +https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47 + +Reported-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com +Tested-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com +Signed-off-by: Anirudh Rayabharam +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/usbhid/hid-core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -506,7 +506,7 @@ static void hid_ctrl(struct urb *urb) + + if (unplug) { + usbhid->ctrltail = usbhid->ctrlhead; +- } else { ++ } else if (usbhid->ctrlhead != usbhid->ctrltail) { + usbhid->ctrltail = (usbhid->ctrltail + 1) & (HID_CONTROL_FIFO_SIZE - 1); + + if (usbhid->ctrlhead != usbhid->ctrltail && +@@ -1224,9 +1224,20 @@ static void usbhid_stop(struct hid_devic + mutex_lock(&usbhid->mutex); + + clear_bit(HID_STARTED, &usbhid->iofl); ++ + spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ + set_bit(HID_DISCONNECTED, &usbhid->iofl); ++ while (usbhid->ctrltail != usbhid->ctrlhead) { ++ if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_OUT) { ++ kfree(usbhid->ctrl[usbhid->ctrltail].raw_report); ++ usbhid->ctrl[usbhid->ctrltail].raw_report = NULL; ++ } ++ ++ usbhid->ctrltail = (usbhid->ctrltail + 1) & ++ (HID_CONTROL_FIFO_SIZE - 1); ++ } + spin_unlock_irq(&usbhid->lock); ++ + usb_kill_urb(usbhid->urbin); + usb_kill_urb(usbhid->urbout); + usb_kill_urb(usbhid->urbctrl); diff --git a/queue-4.19/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch b/queue-4.19/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch new file mode 100644 index 00000000000..4cb45c78af7 --- /dev/null +++ b/queue-4.19/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch @@ -0,0 +1,89 @@ +From ab609f25d19858513919369ff3d9a63c02cd9e2e Mon Sep 17 00:00:00 2001 +From: Yanfei Xu +Date: Sun, 26 Sep 2021 12:53:13 +0800 +Subject: net: mdiobus: Fix memory leak in __mdiobus_register + +From: Yanfei Xu + +commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream. + +Once device_register() failed, we should call put_device() to +decrement reference count for cleanup. Or it will cause memory +leak. + +BUG: memory leak +unreferenced object 0xffff888114032e00 (size 256): + comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff ................ + 08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff .........ve..... + backtrace: + [] kmalloc include/linux/slab.h:591 [inline] + [] kzalloc include/linux/slab.h:721 [inline] + [] device_private_init drivers/base/core.c:3203 [inline] + [] device_add+0x89b/0xdf0 drivers/base/core.c:3253 + [] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537 + [] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87 + [] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline] + [] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786 + [] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745 + [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [] call_driver_probe drivers/base/dd.c:517 [inline] + [] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596 + [] really_probe drivers/base/dd.c:558 [inline] + [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751 + [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781 + [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898 + [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 + [] __device_attach+0x122/0x260 drivers/base/dd.c:969 + [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 + [] device_add+0x5fb/0xdf0 drivers/base/core.c:3359 + [] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170 + [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 + +BUG: memory leak +unreferenced object 0xffff888116f06900 (size 32): + comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s) + hex dump (first 32 bytes): + 75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00 usb-001:003..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kstrdup+0x36/0x70 mm/util.c:60 + [] kstrdup_const+0x53/0x80 mm/util.c:83 + [] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48 + [] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289 + [] dev_set_name+0x63/0x90 drivers/base/core.c:3147 + [] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535 + [] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87 + [] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline] + [] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786 + [] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745 + [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [] call_driver_probe drivers/base/dd.c:517 [inline] + [] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596 + [] really_probe drivers/base/dd.c:558 [inline] + [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751 + [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781 + [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898 + [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 + [] __device_attach+0x122/0x260 drivers/base/dd.c:969 + +Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com +Signed-off-by: Yanfei Xu +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio_bus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -381,6 +381,7 @@ int __mdiobus_register(struct mii_bus *b + err = device_register(&bus->dev); + if (err) { + pr_err("mii_bus %s failed to register\n", bus->id); ++ put_device(&bus->dev); + return -EINVAL; + } + diff --git a/queue-4.19/netfilter-ipset-fix-oversized-kvmalloc-calls.patch b/queue-4.19/netfilter-ipset-fix-oversized-kvmalloc-calls.patch new file mode 100644 index 00000000000..65f2bbca813 --- /dev/null +++ b/queue-4.19/netfilter-ipset-fix-oversized-kvmalloc-calls.patch @@ -0,0 +1,46 @@ +From 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 Mon Sep 17 00:00:00 2001 +From: Jozsef Kadlecsik +Date: Mon, 6 Sep 2021 18:26:34 +0200 +Subject: netfilter: ipset: Fix oversized kvmalloc() calls + +From: Jozsef Kadlecsik + +commit 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 upstream. + +The commit + +commit 7661809d493b426e979f39ab512e3adf41fbcc69 +Author: Linus Torvalds +Date: Wed Jul 14 09:45:49 2021 -0700 + + mm: don't allow oversized kvmalloc() calls + +limits the max allocatable memory via kvmalloc() to MAX_INT. Apply the +same limit in ipset. + +Reported-by: syzbot+3493b1873fb3ea827986@syzkaller.appspotmail.com +Reported-by: syzbot+2b8443c35458a617c904@syzkaller.appspotmail.com +Reported-by: syzbot+ee5cb15f4a0e85e0d54e@syzkaller.appspotmail.com +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipset/ip_set_hash_gen.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -104,11 +104,11 @@ htable_size(u8 hbits) + { + size_t hsize; + +- /* We must fit both into u32 in jhash and size_t */ ++ /* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */ + if (hbits > 31) + return 0; + hsize = jhash_size(hbits); +- if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *) ++ if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *) + < hsize) + return 0; + diff --git a/queue-4.19/series b/queue-4.19/series index bc632e9bdb1..0a47aafff4e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -89,3 +89,7 @@ hso-fix-bailout-in-error-case-of-probe.patch usb-hso-fix-error-handling-code-of-hso_create_net_device.patch usb-hso-remove-the-bailout-parameter.patch crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch +hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch +netfilter-ipset-fix-oversized-kvmalloc-calls.patch +hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch +net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch