From 673e890fe9f5561b60d32787e2cf183b19493a65 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 19 Nov 2019 08:56:07 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	slcan-fix-memory-leak-in-error-path.patch
---
 queue-4.14/series                             |  1 +
 .../slcan-fix-memory-leak-in-error-path.patch | 53 +++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 queue-4.14/slcan-fix-memory-leak-in-error-path.patch

diff --git a/queue-4.14/series b/queue-4.14/series
index b149806831f..0a90c4485a9 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -236,3 +236,4 @@ fuse-use-read_once-on-congestion_threshold-and-max_b.patch
 ib-iser-fix-possible-null-deref-at-iser_inv_desc.patch
 net-phy-mdio-bcm-unimac-mark-pm-functions-as-__maybe.patch
 memfd-use-radix_tree_deref_slot_protected-to-avoid-the-warning.patch
+slcan-fix-memory-leak-in-error-path.patch
diff --git a/queue-4.14/slcan-fix-memory-leak-in-error-path.patch b/queue-4.14/slcan-fix-memory-leak-in-error-path.patch
new file mode 100644
index 00000000000..63ec75f1abd
--- /dev/null
+++ b/queue-4.14/slcan-fix-memory-leak-in-error-path.patch
@@ -0,0 +1,53 @@
+From ed50e1600b4483c049ce76e6bd3b665a6a9300ed Mon Sep 17 00:00:00 2001
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 13 Nov 2019 12:08:01 +0200
+Subject: slcan: Fix memory leak in error path
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.
+
+This patch is fixing memory leak reported by Syzkaller:
+
+BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
+  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
+  hex dump (first 32 bytes):
+    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  backtrace:
+    [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
+    [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
+    [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
+    [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
+    [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
+    [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
+    [<000000004de5a617>] tty_ioctl+0x48d/0x1590
+    [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
+    [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
+    [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
+    [<0000000053d0332e>] do_syscall_64+0x16f/0x580
+    [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+    [<000000008ea75434>] 0xffffffffffffffff
+
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/slcan.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -613,6 +613,7 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
++	free_netdev(sl->dev);
+ 
+ err_exit:
+ 	rtnl_unlock();
-- 
2.47.3