Fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.4/appletalk-fix-skb-allocation-size-in-loopback-case.patch b/queue-4.4/appletalk-fix-skb-allocation-size-in-loopback-case.patch
new file mode 100644 (file)
index 0000000..50aa1f2
--- /dev/null
+++ b/queue-4.4/appletalk-fix-skb-allocation-size-in-loopback-case.patch
@@ -0,0 +1,99 @@
+From 4ed95c82adcbfb5c583d8a848bcbb86ac364cd31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 21:27:54 -0800
+Subject: appletalk: Fix skb allocation size in loopback case
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit 39935dccb21c60f9bbf1bb72d22ab6fd14ae7705 ]
+
+If a DDP broadcast packet is sent out to a non-gateway target, it is
+also looped back. There is a potential for the loopback device to have a
+longer hardware header length than the original target route's device,
+which can result in the skb not being created with enough room for the
+loopback device's hardware header. This patch fixes the issue by
+determining that a loopback will be necessary prior to allocating the
+skb, and if so, ensuring the skb has enough room.
+
+This was discovered while testing a new driver that creates a LocalTalk
+network interface (LTALK_HLEN = 1). It caused an skb_under_panic.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/ddp.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index ace94170f55e..1048cddcc9a3 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1575,8 +1575,8 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+       struct sk_buff *skb;
+       struct net_device *dev;
+       struct ddpehdr *ddp;
+-      int size;
+-      struct atalk_route *rt;
++      int size, hard_header_len;
++      struct atalk_route *rt, *rt_lo = NULL;
+       int err;
+ 
+       if (flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT))
+@@ -1639,7 +1639,22 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+       SOCK_DEBUG(sk, "SK %p: Size needed %d, device %s\n",
+                       sk, size, dev->name);
+ 
+-      size += dev->hard_header_len;
++      hard_header_len = dev->hard_header_len;
++      /* Leave room for loopback hardware header if necessary */
++      if (usat->sat_addr.s_node == ATADDR_BCAST &&
++          (dev->flags & IFF_LOOPBACK || !(rt->flags & RTF_GATEWAY))) {
++              struct atalk_addr at_lo;
++
++              at_lo.s_node = 0;
++              at_lo.s_net  = 0;
++
++              rt_lo = atrtr_find(&at_lo);
++
++              if (rt_lo && rt_lo->dev->hard_header_len > hard_header_len)
++                      hard_header_len = rt_lo->dev->hard_header_len;
++      }
++
++      size += hard_header_len;
+       release_sock(sk);
+       skb = sock_alloc_send_skb(sk, size, (flags & MSG_DONTWAIT), &err);
+       lock_sock(sk);
+@@ -1647,7 +1662,7 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+               goto out;
+ 
+       skb_reserve(skb, ddp_dl->header_length);
+-      skb_reserve(skb, dev->hard_header_len);
++      skb_reserve(skb, hard_header_len);
+       skb->dev = dev;
+ 
+       SOCK_DEBUG(sk, "SK %p: Begin build.\n", sk);
+@@ -1698,18 +1713,12 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+               /* loop back */
+               skb_orphan(skb);
+               if (ddp->deh_dnode == ATADDR_BCAST) {
+-                      struct atalk_addr at_lo;
+-
+-                      at_lo.s_node = 0;
+-                      at_lo.s_net  = 0;
+-
+-                      rt = atrtr_find(&at_lo);
+-                      if (!rt) {
++                      if (!rt_lo) {
+                               kfree_skb(skb);
+                               err = -ENETUNREACH;
+                               goto out;
+                       }
+-                      dev = rt->dev;
++                      dev = rt_lo->dev;
+                       skb->dev = dev;
+               }
+               ddp_dl->request(ddp_dl, skb, dev->dev_addr);
+-- 
+2.30.1
+

diff --git a/queue-4.4/net-wan-lmc-unregister-device-when-no-matching-devic.patch b/queue-4.4/net-wan-lmc-unregister-device-when-no-matching-devic.patch
new file mode 100644 (file)
index 0000000..f8763bc
--- /dev/null
+++ b/queue-4.4/net-wan-lmc-unregister-device-when-no-matching-devic.patch
@@ -0,0 +1,96 @@
+From 9f9ffdd1026ff6796a9bb7359b16a707b79e933a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Feb 2021 14:17:56 -0500
+Subject: net: wan/lmc: unregister device when no matching device is found
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 62e69bc419772638369eff8ff81340bde8aceb61 ]
+
+lmc set sc->lmc_media pointer when there is a matching device.
+However, when no matching device is found, this pointer is NULL
+and the following dereference will result in a null-ptr-deref.
+
+To fix this issue, unregister the hdlc device and return an error.
+
+[    4.569359] BUG: KASAN: null-ptr-deref in lmc_init_one.cold+0x2b6/0x55d [lmc]
+[    4.569748] Read of size 8 at addr 0000000000000008 by task modprobe/95
+[    4.570102]
+[    4.570187] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7 #94
+[    4.570527] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-preb4
+[    4.571125] Call Trace:
+[    4.571261]  dump_stack+0x7d/0xa3
+[    4.571445]  kasan_report.cold+0x10c/0x10e
+[    4.571667]  ? lmc_init_one.cold+0x2b6/0x55d [lmc]
+[    4.571932]  lmc_init_one.cold+0x2b6/0x55d [lmc]
+[    4.572186]  ? lmc_mii_readreg+0xa0/0xa0 [lmc]
+[    4.572432]  local_pci_probe+0x6f/0xb0
+[    4.572639]  pci_device_probe+0x171/0x240
+[    4.572857]  ? pci_device_remove+0xe0/0xe0
+[    4.573080]  ? kernfs_create_link+0xb6/0x110
+[    4.573315]  ? sysfs_do_create_link_sd.isra.0+0x76/0xe0
+[    4.573598]  really_probe+0x161/0x420
+[    4.573799]  driver_probe_device+0x6d/0xd0
+[    4.574022]  device_driver_attach+0x82/0x90
+[    4.574249]  ? device_driver_attach+0x90/0x90
+[    4.574485]  __driver_attach+0x60/0x100
+[    4.574694]  ? device_driver_attach+0x90/0x90
+[    4.574931]  bus_for_each_dev+0xe1/0x140
+[    4.575146]  ? subsys_dev_iter_exit+0x10/0x10
+[    4.575387]  ? klist_node_init+0x61/0x80
+[    4.575602]  bus_add_driver+0x254/0x2a0
+[    4.575812]  driver_register+0xd3/0x150
+[    4.576021]  ? 0xffffffffc0018000
+[    4.576202]  do_one_initcall+0x84/0x250
+[    4.576411]  ? trace_event_raw_event_initcall_finish+0x150/0x150
+[    4.576733]  ? unpoison_range+0xf/0x30
+[    4.576938]  ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[    4.577219]  ? unpoison_range+0xf/0x30
+[    4.577423]  ? unpoison_range+0xf/0x30
+[    4.577628]  do_init_module+0xf8/0x350
+[    4.577833]  load_module+0x3fe6/0x4340
+[    4.578038]  ? vm_unmap_ram+0x1d0/0x1d0
+[    4.578247]  ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[    4.578526]  ? module_frob_arch_sections+0x20/0x20
+[    4.578787]  ? __do_sys_finit_module+0x108/0x170
+[    4.579037]  __do_sys_finit_module+0x108/0x170
+[    4.579278]  ? __ia32_sys_init_module+0x40/0x40
+[    4.579523]  ? file_open_root+0x200/0x200
+[    4.579742]  ? do_sys_open+0x85/0xe0
+[    4.579938]  ? filp_open+0x50/0x50
+[    4.580125]  ? exit_to_user_mode_prepare+0xfc/0x130
+[    4.580390]  do_syscall_64+0x33/0x40
+[    4.580586]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[    4.580859] RIP: 0033:0x7f1a724c3cf7
+[    4.581054] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 48 891
+[    4.582043] RSP: 002b:00007fff44941c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[    4.582447] RAX: ffffffffffffffda RBX: 00000000012ada70 RCX: 00007f1a724c3cf7
+[    4.582827] RDX: 0000000000000000 RSI: 00000000012ac9e0 RDI: 0000000000000003
+[    4.583207] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000001
+[    4.583587] R10: 00007f1a72527300 R11: 0000000000000246 R12: 00000000012ac9e0
+[    4.583968] R13: 0000000000000000 R14: 00000000012acc90 R15: 0000000000000001
+[    4.584349] ==================================================================
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lmc/lmc_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wan/lmc/lmc_main.c b/drivers/net/wan/lmc/lmc_main.c
+index c178e1218347..88cf948ce8d4 100644
+--- a/drivers/net/wan/lmc/lmc_main.c
++++ b/drivers/net/wan/lmc/lmc_main.c
+@@ -926,6 +926,8 @@ static int lmc_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+         break;
+     default:
+       printk(KERN_WARNING "%s: LMC UNKNOWN CARD!\n", dev->name);
++      unregister_hdlc_device(dev);
++      return -EIO;
+         break;
+     }
+ 
+-- 
+2.30.1
+

diff --git a/queue-4.4/series b/queue-4.4/series
index 37817f7baed0c7e33a5cc0c3875538fb62746773..3a4e4539ead577470c2d1bee77ac5b3a33662cb9 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -10,3 +10,5 @@ scsi-qla2xxx-fix-broken-endif-placement.patch
 staging-comedi-cb_pcidas-fix-request_irq-warn.patch
 staging-comedi-cb_pcidas64-fix-request_irq-warn.patch
 ext4-do-not-iput-inode-under-running-transaction-in-.patch
+appletalk-fix-skb-allocation-size-in-loopback-case.patch
+net-wan-lmc-unregister-device-when-no-matching-devic.patch