--- /dev/null
+From 1d37112cff81b573f0832d84876415560971c19c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 21:27:54 -0800
+Subject: appletalk: Fix skb allocation size in loopback case
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit 39935dccb21c60f9bbf1bb72d22ab6fd14ae7705 ]
+
+If a DDP broadcast packet is sent out to a non-gateway target, it is
+also looped back. There is a potential for the loopback device to have a
+longer hardware header length than the original target route's device,
+which can result in the skb not being created with enough room for the
+loopback device's hardware header. This patch fixes the issue by
+determining that a loopback will be necessary prior to allocating the
+skb, and if so, ensuring the skb has enough room.
+
+This was discovered while testing a new driver that creates a LocalTalk
+network interface (LTALK_HLEN = 1). It caused an skb_under_panic.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/ddp.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 93209c009df5..a66de21671ac 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1575,8 +1575,8 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ struct sk_buff *skb;
+ struct net_device *dev;
+ struct ddpehdr *ddp;
+- int size;
+- struct atalk_route *rt;
++ int size, hard_header_len;
++ struct atalk_route *rt, *rt_lo = NULL;
+ int err;
+
+ if (flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT))
+@@ -1639,7 +1639,22 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ SOCK_DEBUG(sk, "SK %p: Size needed %d, device %s\n",
+ sk, size, dev->name);
+
+- size += dev->hard_header_len;
++ hard_header_len = dev->hard_header_len;
++ /* Leave room for loopback hardware header if necessary */
++ if (usat->sat_addr.s_node == ATADDR_BCAST &&
++ (dev->flags & IFF_LOOPBACK || !(rt->flags & RTF_GATEWAY))) {
++ struct atalk_addr at_lo;
++
++ at_lo.s_node = 0;
++ at_lo.s_net = 0;
++
++ rt_lo = atrtr_find(&at_lo);
++
++ if (rt_lo && rt_lo->dev->hard_header_len > hard_header_len)
++ hard_header_len = rt_lo->dev->hard_header_len;
++ }
++
++ size += hard_header_len;
+ release_sock(sk);
+ skb = sock_alloc_send_skb(sk, size, (flags & MSG_DONTWAIT), &err);
+ lock_sock(sk);
+@@ -1647,7 +1662,7 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ goto out;
+
+ skb_reserve(skb, ddp_dl->header_length);
+- skb_reserve(skb, dev->hard_header_len);
++ skb_reserve(skb, hard_header_len);
+ skb->dev = dev;
+
+ SOCK_DEBUG(sk, "SK %p: Begin build.\n", sk);
+@@ -1698,18 +1713,12 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ /* loop back */
+ skb_orphan(skb);
+ if (ddp->deh_dnode == ATADDR_BCAST) {
+- struct atalk_addr at_lo;
+-
+- at_lo.s_node = 0;
+- at_lo.s_net = 0;
+-
+- rt = atrtr_find(&at_lo);
+- if (!rt) {
++ if (!rt_lo) {
+ kfree_skb(skb);
+ err = -ENETUNREACH;
+ goto out;
+ }
+- dev = rt->dev;
++ dev = rt_lo->dev;
+ skb->dev = dev;
+ }
+ ddp_dl->request(ddp_dl, skb, dev->dev_addr);
+--
+2.30.1
+
--- /dev/null
+From 25ae723c1d47dc014deaa9f774ef2ce9f5007235 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Feb 2021 14:17:56 -0500
+Subject: net: wan/lmc: unregister device when no matching device is found
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 62e69bc419772638369eff8ff81340bde8aceb61 ]
+
+lmc set sc->lmc_media pointer when there is a matching device.
+However, when no matching device is found, this pointer is NULL
+and the following dereference will result in a null-ptr-deref.
+
+To fix this issue, unregister the hdlc device and return an error.
+
+[ 4.569359] BUG: KASAN: null-ptr-deref in lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.569748] Read of size 8 at addr 0000000000000008 by task modprobe/95
+[ 4.570102]
+[ 4.570187] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7 #94
+[ 4.570527] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-preb4
+[ 4.571125] Call Trace:
+[ 4.571261] dump_stack+0x7d/0xa3
+[ 4.571445] kasan_report.cold+0x10c/0x10e
+[ 4.571667] ? lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.571932] lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.572186] ? lmc_mii_readreg+0xa0/0xa0 [lmc]
+[ 4.572432] local_pci_probe+0x6f/0xb0
+[ 4.572639] pci_device_probe+0x171/0x240
+[ 4.572857] ? pci_device_remove+0xe0/0xe0
+[ 4.573080] ? kernfs_create_link+0xb6/0x110
+[ 4.573315] ? sysfs_do_create_link_sd.isra.0+0x76/0xe0
+[ 4.573598] really_probe+0x161/0x420
+[ 4.573799] driver_probe_device+0x6d/0xd0
+[ 4.574022] device_driver_attach+0x82/0x90
+[ 4.574249] ? device_driver_attach+0x90/0x90
+[ 4.574485] __driver_attach+0x60/0x100
+[ 4.574694] ? device_driver_attach+0x90/0x90
+[ 4.574931] bus_for_each_dev+0xe1/0x140
+[ 4.575146] ? subsys_dev_iter_exit+0x10/0x10
+[ 4.575387] ? klist_node_init+0x61/0x80
+[ 4.575602] bus_add_driver+0x254/0x2a0
+[ 4.575812] driver_register+0xd3/0x150
+[ 4.576021] ? 0xffffffffc0018000
+[ 4.576202] do_one_initcall+0x84/0x250
+[ 4.576411] ? trace_event_raw_event_initcall_finish+0x150/0x150
+[ 4.576733] ? unpoison_range+0xf/0x30
+[ 4.576938] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[ 4.577219] ? unpoison_range+0xf/0x30
+[ 4.577423] ? unpoison_range+0xf/0x30
+[ 4.577628] do_init_module+0xf8/0x350
+[ 4.577833] load_module+0x3fe6/0x4340
+[ 4.578038] ? vm_unmap_ram+0x1d0/0x1d0
+[ 4.578247] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[ 4.578526] ? module_frob_arch_sections+0x20/0x20
+[ 4.578787] ? __do_sys_finit_module+0x108/0x170
+[ 4.579037] __do_sys_finit_module+0x108/0x170
+[ 4.579278] ? __ia32_sys_init_module+0x40/0x40
+[ 4.579523] ? file_open_root+0x200/0x200
+[ 4.579742] ? do_sys_open+0x85/0xe0
+[ 4.579938] ? filp_open+0x50/0x50
+[ 4.580125] ? exit_to_user_mode_prepare+0xfc/0x130
+[ 4.580390] do_syscall_64+0x33/0x40
+[ 4.580586] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 4.580859] RIP: 0033:0x7f1a724c3cf7
+[ 4.581054] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 48 891
+[ 4.582043] RSP: 002b:00007fff44941c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 4.582447] RAX: ffffffffffffffda RBX: 00000000012ada70 RCX: 00007f1a724c3cf7
+[ 4.582827] RDX: 0000000000000000 RSI: 00000000012ac9e0 RDI: 0000000000000003
+[ 4.583207] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000001
+[ 4.583587] R10: 00007f1a72527300 R11: 0000000000000246 R12: 00000000012ac9e0
+[ 4.583968] R13: 0000000000000000 R14: 00000000012acc90 R15: 0000000000000001
+[ 4.584349] ==================================================================
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lmc/lmc_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wan/lmc/lmc_main.c b/drivers/net/wan/lmc/lmc_main.c
+index 04b60ed59ea0..4253ccb79975 100644
+--- a/drivers/net/wan/lmc/lmc_main.c
++++ b/drivers/net/wan/lmc/lmc_main.c
+@@ -923,6 +923,8 @@ static int lmc_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ break;
+ default:
+ printk(KERN_WARNING "%s: LMC UNKNOWN CARD!\n", dev->name);
++ unregister_hdlc_device(dev);
++ return -EIO;
+ break;
+ }
+
+--
+2.30.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
