--- /dev/null
+From 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Mon, 24 May 2021 23:02:08 +0300
+Subject: net: usb: fix memory leak in smsc75xx_bind
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 upstream.
+
+Syzbot reported memory leak in smsc75xx_bind().
+The problem was is non-freed memory in case of
+errors after memory allocation.
+
+backtrace:
+ [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]
+ [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]
+ [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460
+ [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728
+
+Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
+Cc: stable@kernel.vger.org
+Reported-and-tested-by: syzbot+b558506ba8165425fee2@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/smsc75xx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1497,7 +1497,7 @@ static int smsc75xx_bind(struct usbnet *
+ ret = smsc75xx_wait_ready(dev, 0);
+ if (ret < 0) {
+ netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
+- return ret;
++ goto err;
+ }
+
+ smsc75xx_init_mac_address(dev);
+@@ -1506,7 +1506,7 @@ static int smsc75xx_bind(struct usbnet *
+ ret = smsc75xx_reset(dev);
+ if (ret < 0) {
+ netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
+- return ret;
++ goto err;
+ }
+
+ dev->net->netdev_ops = &smsc75xx_netdev_ops;
+@@ -1515,6 +1515,10 @@ static int smsc75xx_bind(struct usbnet *
+ dev->net->hard_header_len += SMSC75XX_TX_OVERHEAD;
+ dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len;
+ return 0;
++
++err:
++ kfree(pdata);
++ return ret;
+ }
+
+ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)
--- /dev/null
+From 794aaf01444d4e765e2b067cba01cc69c1c68ed9 Mon Sep 17 00:00:00 2001
+From: "William A. Kennington III" <wak@google.com>
+Date: Wed, 7 Apr 2021 02:55:27 -0700
+Subject: spi: Fix use-after-free with devm_spi_alloc_*
+
+From: William A. Kennington III <wak@google.com>
+
+commit 794aaf01444d4e765e2b067cba01cc69c1c68ed9 upstream.
+
+We can't rely on the contents of the devres list during
+spi_unregister_controller(), as the list is already torn down at the
+time we perform devres_find() for devm_spi_release_controller. This
+causes devices registered with devm_spi_alloc_{master,slave}() to be
+mistakenly identified as legacy, non-devm managed devices and have their
+reference counters decremented below 0.
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174
+[<b0396f04>] (refcount_warn_saturate) from [<b03c56a4>] (kobject_put+0x90/0x98)
+[<b03c5614>] (kobject_put) from [<b0447b4c>] (put_device+0x20/0x24)
+ r4:b6700140
+[<b0447b2c>] (put_device) from [<b07515e8>] (devm_spi_release_controller+0x3c/0x40)
+[<b07515ac>] (devm_spi_release_controller) from [<b045343c>] (release_nodes+0x84/0xc4)
+ r5:b6700180 r4:b6700100
+[<b04533b8>] (release_nodes) from [<b0454160>] (devres_release_all+0x5c/0x60)
+ r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10
+[<b0454104>] (devres_release_all) from [<b044e41c>] (__device_release_driver+0x144/0x1ec)
+ r5:b117ad94 r4:b163dc10
+[<b044e2d8>] (__device_release_driver) from [<b044f70c>] (device_driver_detach+0x84/0xa0)
+ r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10
+[<b044f688>] (device_driver_detach) from [<b044d274>] (unbind_store+0xe4/0xf8)
+
+Instead, determine the devm allocation state as a flag on the
+controller which is guaranteed to be stable during cleanup.
+
+Fixes: 5e844cc37a5c ("spi: Introduce device-managed SPI controller allocation")
+Signed-off-by: William A. Kennington III <wak@google.com>
+Link: https://lore.kernel.org/r/20210407095527.2771582-1-wak@google.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[lukas: backport to v4.9.270]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi.c | 9 ++-------
+ include/linux/spi/spi.h | 3 +++
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1869,6 +1869,7 @@ struct spi_master *devm_spi_alloc_master
+
+ master = spi_alloc_master(dev, size);
+ if (master) {
++ master->devm_allocated = true;
+ *ptr = master;
+ devres_add(dev, ptr);
+ } else {
+@@ -2059,11 +2060,6 @@ int devm_spi_register_master(struct devi
+ }
+ EXPORT_SYMBOL_GPL(devm_spi_register_master);
+
+-static int devm_spi_match_master(struct device *dev, void *res, void *master)
+-{
+- return *(struct spi_master **)res == master;
+-}
+-
+ static int __unregister(struct device *dev, void *null)
+ {
+ spi_unregister_device(to_spi_device(dev));
+@@ -2102,8 +2098,7 @@ void spi_unregister_master(struct spi_ma
+ /* Release the last reference on the master if its driver
+ * has not yet been converted to devm_spi_alloc_master().
+ */
+- if (!devres_find(master->dev.parent, devm_spi_release_master,
+- devm_spi_match_master, master))
++ if (!master->devm_allocated)
+ put_device(&master->dev);
+
+ if (IS_ENABLED(CONFIG_SPI_DYNAMIC))
+--- a/include/linux/spi/spi.h
++++ b/include/linux/spi/spi.h
+@@ -443,6 +443,9 @@ struct spi_master {
+ #define SPI_MASTER_MUST_RX BIT(3) /* requires rx */
+ #define SPI_MASTER_MUST_TX BIT(4) /* requires tx */
+
++ /* flag indicating this is a non-devres managed controller */
++ bool devm_allocated;
++
+ /*
+ * on some hardware transfer / message size may be constrained
+ * the limit may depend on device transfer settings
projects / thirdparty / kernel / stable-queue.git / commitdiff
