4.14-stable patches

added patches:
	net-usb-fix-memory-leak-in-smsc75xx_bind.patch

diff --git a/queue-4.14/net-usb-fix-memory-leak-in-smsc75xx_bind.patch b/queue-4.14/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
new file mode 100644 (file)
index 0000000..977c70f
--- /dev/null
+++ b/queue-4.14/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
@@ -0,0 +1,60 @@
+From 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Mon, 24 May 2021 23:02:08 +0300
+Subject: net: usb: fix memory leak in smsc75xx_bind
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 upstream.
+
+Syzbot reported memory leak in smsc75xx_bind().
+The problem was is non-freed memory in case of
+errors after memory allocation.
+
+backtrace:
+  [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]
+  [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]
+  [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460
+  [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728
+
+Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
+Cc: stable@kernel.vger.org
+Reported-and-tested-by: syzbot+b558506ba8165425fee2@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/smsc75xx.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1495,7 +1495,7 @@ static int smsc75xx_bind(struct usbnet *
+       ret = smsc75xx_wait_ready(dev, 0);
+       if (ret < 0) {
+               netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
+-              return ret;
++              goto err;
+       }
+ 
+       smsc75xx_init_mac_address(dev);
+@@ -1504,7 +1504,7 @@ static int smsc75xx_bind(struct usbnet *
+       ret = smsc75xx_reset(dev);
+       if (ret < 0) {
+               netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
+-              return ret;
++              goto err;
+       }
+ 
+       dev->net->netdev_ops = &smsc75xx_netdev_ops;
+@@ -1514,6 +1514,10 @@ static int smsc75xx_bind(struct usbnet *
+       dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len;
+       dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE;
+       return 0;
++
++err:
++      kfree(pdata);
++      return ret;
+ }
+ 
+ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)

diff --git a/queue-4.14/series b/queue-4.14/series
index 6ba8cf0608629317836c29e8a73a730ceda21798..c6d6aad76a0dc5edbb25d9bb8b9432fe268137f3 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -30,3 +30,4 @@ usb-serial-option-add-telit-le910-s1-compositions-0x7010-0x7011.patch
 usb-serial-ftdi_sio-add-ids-for-ids-gmbh-products.patch
 usb-serial-pl2303-add-device-id-for-adlink-nd-6530-gc.patch
 usb-gadget-udc-renesas_usb3-fix-a-race-in-usb3_start_pipen.patch
+net-usb-fix-memory-leak-in-smsc75xx_bind.patch