From 3e854c60fe3116ece401b148ce144c8a806bb903 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Oct 2021 14:16:44 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch
	hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
	net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
	netfilter-ipset-fix-oversized-kvmalloc-calls.patch
---
 ...b-out-of-bounds-write-in-betop_probe.patch | 52 +++++++++++
 ...ee-raw_report-buffers-in-usbhid_stop.patch | 55 ++++++++++++
 ...ix-memory-leak-in-__mdiobus_register.patch | 89 +++++++++++++++++++
 ...r-ipset-fix-oversized-kvmalloc-calls.patch | 46 ++++++++++
 queue-4.9/series                              |  4 +
 5 files changed, 246 insertions(+)
 create mode 100644 queue-4.9/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch
 create mode 100644 queue-4.9/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
 create mode 100644 queue-4.9/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
 create mode 100644 queue-4.9/netfilter-ipset-fix-oversized-kvmalloc-calls.patch

diff --git a/queue-4.9/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch b/queue-4.9/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch
new file mode 100644
index 00000000000..7baa1202be6
--- /dev/null
+++ b/queue-4.9/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch
@@ -0,0 +1,52 @@
+From 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 Mon Sep 17 00:00:00 2001
+From: "F.A.Sulaiman" <asha.16@itfac.mrt.ac.lk>
+Date: Tue, 24 Aug 2021 20:37:30 +0530
+Subject: HID: betop: fix slab-out-of-bounds Write in betop_probe
+
+From: F.A.Sulaiman <asha.16@itfac.mrt.ac.lk>
+
+commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream.
+
+Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver.
+The problem is the driver assumes the device must have an input report but
+some malicious devices violate this assumption.
+
+So this patch checks hid_device's input is non empty before it's been used.
+
+Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com
+Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>
+Reviewed-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-betopff.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-betopff.c
++++ b/drivers/hid/hid-betopff.c
+@@ -59,15 +59,22 @@ static int betopff_init(struct hid_devic
+ {
+ 	struct betopff_device *betopff;
+ 	struct hid_report *report;
+-	struct hid_input *hidinput =
+-			list_first_entry(&hid->inputs, struct hid_input, list);
++	struct hid_input *hidinput;
+ 	struct list_head *report_list =
+ 			&hid->report_enum[HID_OUTPUT_REPORT].report_list;
+-	struct input_dev *dev = hidinput->input;
++	struct input_dev *dev;
+ 	int field_count = 0;
+ 	int error;
+ 	int i, j;
+ 
++	if (list_empty(&hid->inputs)) {
++		hid_err(hid, "no inputs found\n");
++		return -ENODEV;
++	}
++
++	hidinput = list_first_entry(&hid->inputs, struct hid_input, list);
++	dev = hidinput->input;
++
+ 	if (list_empty(report_list)) {
+ 		hid_err(hid, "no output reports found\n");
+ 		return -ENODEV;
diff --git a/queue-4.9/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch b/queue-4.9/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
new file mode 100644
index 00000000000..09d65a9dce8
--- /dev/null
+++ b/queue-4.9/hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
@@ -0,0 +1,55 @@
+From f7744fa16b96da57187dc8e5634152d3b63d72de Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Thu, 24 Jun 2021 00:10:29 +0530
+Subject: HID: usbhid: free raw_report buffers in usbhid_stop
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit f7744fa16b96da57187dc8e5634152d3b63d72de upstream.
+
+Free the unsent raw_report buffers when the device is removed.
+
+Fixes a memory leak reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47
+
+Reported-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
+Tested-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/usbhid/hid-core.c |   13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -500,7 +500,7 @@ static void hid_ctrl(struct urb *urb)
+ 
+ 	if (unplug) {
+ 		usbhid->ctrltail = usbhid->ctrlhead;
+-	} else {
++	} else if (usbhid->ctrlhead != usbhid->ctrltail) {
+ 		usbhid->ctrltail = (usbhid->ctrltail + 1) & (HID_CONTROL_FIFO_SIZE - 1);
+ 
+ 		if (usbhid->ctrlhead != usbhid->ctrltail &&
+@@ -1185,9 +1185,20 @@ static void usbhid_stop(struct hid_devic
+ 		usbhid->intf->needs_remote_wakeup = 0;
+ 
+ 	clear_bit(HID_STARTED, &usbhid->iofl);
++
+ 	spin_lock_irq(&usbhid->lock);	/* Sync with error and led handlers */
+ 	set_bit(HID_DISCONNECTED, &usbhid->iofl);
++	while (usbhid->ctrltail != usbhid->ctrlhead) {
++		if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_OUT) {
++			kfree(usbhid->ctrl[usbhid->ctrltail].raw_report);
++			usbhid->ctrl[usbhid->ctrltail].raw_report = NULL;
++		}
++
++		usbhid->ctrltail = (usbhid->ctrltail + 1) &
++			(HID_CONTROL_FIFO_SIZE - 1);
++	}
+ 	spin_unlock_irq(&usbhid->lock);
++
+ 	usb_kill_urb(usbhid->urbin);
+ 	usb_kill_urb(usbhid->urbout);
+ 	usb_kill_urb(usbhid->urbctrl);
diff --git a/queue-4.9/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch b/queue-4.9/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
new file mode 100644
index 00000000000..4dfa9f87ab6
--- /dev/null
+++ b/queue-4.9/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
@@ -0,0 +1,89 @@
+From ab609f25d19858513919369ff3d9a63c02cd9e2e Mon Sep 17 00:00:00 2001
+From: Yanfei Xu <yanfei.xu@windriver.com>
+Date: Sun, 26 Sep 2021 12:53:13 +0800
+Subject: net: mdiobus: Fix memory leak in __mdiobus_register
+
+From: Yanfei Xu <yanfei.xu@windriver.com>
+
+commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream.
+
+Once device_register() failed, we should call put_device() to
+decrement reference count for cleanup. Or it will cause memory
+leak.
+
+BUG: memory leak
+unreferenced object 0xffff888114032e00 (size 256):
+  comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff  ................
+    08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff  .........ve.....
+  backtrace:
+    [<ffffffff8265cfab>] kmalloc include/linux/slab.h:591 [inline]
+    [<ffffffff8265cfab>] kzalloc include/linux/slab.h:721 [inline]
+    [<ffffffff8265cfab>] device_private_init drivers/base/core.c:3203 [inline]
+    [<ffffffff8265cfab>] device_add+0x89b/0xdf0 drivers/base/core.c:3253
+    [<ffffffff828dd643>] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537
+    [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
+    [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
+    [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
+    [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
+    [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+    [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
+    [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
+    [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
+    [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
+    [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
+    [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
+    [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+    [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
+    [<ffffffff82660916>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
+    [<ffffffff8265cd0b>] device_add+0x5fb/0xdf0 drivers/base/core.c:3359
+    [<ffffffff82c343b9>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170
+    [<ffffffff82c4473c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
+
+BUG: memory leak
+unreferenced object 0xffff888116f06900 (size 32):
+  comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s)
+  hex dump (first 32 bytes):
+    75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00  usb-001:003.....
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff81484516>] kstrdup+0x36/0x70 mm/util.c:60
+    [<ffffffff814845a3>] kstrdup_const+0x53/0x80 mm/util.c:83
+    [<ffffffff82296ba2>] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
+    [<ffffffff82358d4b>] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
+    [<ffffffff826575f3>] dev_set_name+0x63/0x90 drivers/base/core.c:3147
+    [<ffffffff828dd63b>] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535
+    [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
+    [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
+    [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
+    [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
+    [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+    [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
+    [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
+    [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
+    [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
+    [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
+    [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
+    [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+    [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
+
+Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
+Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -319,6 +319,7 @@ int __mdiobus_register(struct mii_bus *b
+ 	err = device_register(&bus->dev);
+ 	if (err) {
+ 		pr_err("mii_bus %s failed to register\n", bus->id);
++		put_device(&bus->dev);
+ 		return -EINVAL;
+ 	}
+ 
diff --git a/queue-4.9/netfilter-ipset-fix-oversized-kvmalloc-calls.patch b/queue-4.9/netfilter-ipset-fix-oversized-kvmalloc-calls.patch
new file mode 100644
index 00000000000..dfcb1a539b6
--- /dev/null
+++ b/queue-4.9/netfilter-ipset-fix-oversized-kvmalloc-calls.patch
@@ -0,0 +1,46 @@
+From 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+Date: Mon, 6 Sep 2021 18:26:34 +0200
+Subject: netfilter: ipset: Fix oversized kvmalloc() calls
+
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+
+commit 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 upstream.
+
+The commit
+
+commit 7661809d493b426e979f39ab512e3adf41fbcc69
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date:   Wed Jul 14 09:45:49 2021 -0700
+
+    mm: don't allow oversized kvmalloc() calls
+
+limits the max allocatable memory via kvmalloc() to MAX_INT. Apply the
+same limit in ipset.
+
+Reported-by: syzbot+3493b1873fb3ea827986@syzkaller.appspotmail.com
+Reported-by: syzbot+2b8443c35458a617c904@syzkaller.appspotmail.com
+Reported-by: syzbot+ee5cb15f4a0e85e0d54e@syzkaller.appspotmail.com
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -102,11 +102,11 @@ htable_size(u8 hbits)
+ {
+ 	size_t hsize;
+ 
+-	/* We must fit both into u32 in jhash and size_t */
++	/* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */
+ 	if (hbits > 31)
+ 		return 0;
+ 	hsize = jhash_size(hbits);
+-	if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *)
++	if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *)
+ 	    < hsize)
+ 		return 0;
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 654536bbccf..7fe75cd3405 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -51,3 +51,7 @@ arm-9078-1-add-warn-suppress-parameter-to-arm_gen_branch_link.patch
 arm-9079-1-ftrace-add-module_plts-support.patch
 arm-9098-1-ftrace-module_plt-fix-build-problem-without-dynamic_ftrace.patch
 arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch
+hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch
+netfilter-ipset-fix-oversized-kvmalloc-calls.patch
+hid-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
+net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
-- 
2.47.3