From: Sasha Levin <sashal@kernel.org>
Date: Thu, 1 Apr 2021 17:31:28 +0000 (-0400)
Subject: Fixes for 4.9
X-Git-Tag: v4.4.265~62
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=41159b5640051ab644f9966367b0486ff4e49c85;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.9/appletalk-fix-skb-allocation-size-in-loopback-case.patch b/queue-4.9/appletalk-fix-skb-allocation-size-in-loopback-case.patch
new file mode 100644
index 00000000000..d49a79ab3e7
--- /dev/null
+++ b/queue-4.9/appletalk-fix-skb-allocation-size-in-loopback-case.patch
@@ -0,0 +1,99 @@
+From 1d37112cff81b573f0832d84876415560971c19c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 21:27:54 -0800
+Subject: appletalk: Fix skb allocation size in loopback case
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit 39935dccb21c60f9bbf1bb72d22ab6fd14ae7705 ]
+
+If a DDP broadcast packet is sent out to a non-gateway target, it is
+also looped back. There is a potential for the loopback device to have a
+longer hardware header length than the original target route's device,
+which can result in the skb not being created with enough room for the
+loopback device's hardware header. This patch fixes the issue by
+determining that a loopback will be necessary prior to allocating the
+skb, and if so, ensuring the skb has enough room.
+
+This was discovered while testing a new driver that creates a LocalTalk
+network interface (LTALK_HLEN = 1). It caused an skb_under_panic.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/ddp.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 93209c009df5..a66de21671ac 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1575,8 +1575,8 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ 	struct sk_buff *skb;
+ 	struct net_device *dev;
+ 	struct ddpehdr *ddp;
+-	int size;
+-	struct atalk_route *rt;
++	int size, hard_header_len;
++	struct atalk_route *rt, *rt_lo = NULL;
+ 	int err;
+ 
+ 	if (flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT))
+@@ -1639,7 +1639,22 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ 	SOCK_DEBUG(sk, "SK %p: Size needed %d, device %s\n",
+ 			sk, size, dev->name);
+ 
+-	size += dev->hard_header_len;
++	hard_header_len = dev->hard_header_len;
++	/* Leave room for loopback hardware header if necessary */
++	if (usat->sat_addr.s_node == ATADDR_BCAST &&
++	    (dev->flags & IFF_LOOPBACK || !(rt->flags & RTF_GATEWAY))) {
++		struct atalk_addr at_lo;
++
++		at_lo.s_node = 0;
++		at_lo.s_net  = 0;
++
++		rt_lo = atrtr_find(&at_lo);
++
++		if (rt_lo && rt_lo->dev->hard_header_len > hard_header_len)
++			hard_header_len = rt_lo->dev->hard_header_len;
++	}
++
++	size += hard_header_len;
+ 	release_sock(sk);
+ 	skb = sock_alloc_send_skb(sk, size, (flags & MSG_DONTWAIT), &err);
+ 	lock_sock(sk);
+@@ -1647,7 +1662,7 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ 		goto out;
+ 
+ 	skb_reserve(skb, ddp_dl->header_length);
+-	skb_reserve(skb, dev->hard_header_len);
++	skb_reserve(skb, hard_header_len);
+ 	skb->dev = dev;
+ 
+ 	SOCK_DEBUG(sk, "SK %p: Begin build.\n", sk);
+@@ -1698,18 +1713,12 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ 		/* loop back */
+ 		skb_orphan(skb);
+ 		if (ddp->deh_dnode == ATADDR_BCAST) {
+-			struct atalk_addr at_lo;
+-
+-			at_lo.s_node = 0;
+-			at_lo.s_net  = 0;
+-
+-			rt = atrtr_find(&at_lo);
+-			if (!rt) {
++			if (!rt_lo) {
+ 				kfree_skb(skb);
+ 				err = -ENETUNREACH;
+ 				goto out;
+ 			}
+-			dev = rt->dev;
++			dev = rt_lo->dev;
+ 			skb->dev = dev;
+ 		}
+ 		ddp_dl->request(ddp_dl, skb, dev->dev_addr);
+-- 
+2.30.1
+
diff --git a/queue-4.9/net-wan-lmc-unregister-device-when-no-matching-devic.patch b/queue-4.9/net-wan-lmc-unregister-device-when-no-matching-devic.patch
new file mode 100644
index 00000000000..5d4024d74ea
--- /dev/null
+++ b/queue-4.9/net-wan-lmc-unregister-device-when-no-matching-devic.patch
@@ -0,0 +1,96 @@
+From 25ae723c1d47dc014deaa9f774ef2ce9f5007235 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Feb 2021 14:17:56 -0500
+Subject: net: wan/lmc: unregister device when no matching device is found
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 62e69bc419772638369eff8ff81340bde8aceb61 ]
+
+lmc set sc->lmc_media pointer when there is a matching device.
+However, when no matching device is found, this pointer is NULL
+and the following dereference will result in a null-ptr-deref.
+
+To fix this issue, unregister the hdlc device and return an error.
+
+[    4.569359] BUG: KASAN: null-ptr-deref in lmc_init_one.cold+0x2b6/0x55d [lmc]
+[    4.569748] Read of size 8 at addr 0000000000000008 by task modprobe/95
+[    4.570102]
+[    4.570187] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7 #94
+[    4.570527] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-preb4
+[    4.571125] Call Trace:
+[    4.571261]  dump_stack+0x7d/0xa3
+[    4.571445]  kasan_report.cold+0x10c/0x10e
+[    4.571667]  ? lmc_init_one.cold+0x2b6/0x55d [lmc]
+[    4.571932]  lmc_init_one.cold+0x2b6/0x55d [lmc]
+[    4.572186]  ? lmc_mii_readreg+0xa0/0xa0 [lmc]
+[    4.572432]  local_pci_probe+0x6f/0xb0
+[    4.572639]  pci_device_probe+0x171/0x240
+[    4.572857]  ? pci_device_remove+0xe0/0xe0
+[    4.573080]  ? kernfs_create_link+0xb6/0x110
+[    4.573315]  ? sysfs_do_create_link_sd.isra.0+0x76/0xe0
+[    4.573598]  really_probe+0x161/0x420
+[    4.573799]  driver_probe_device+0x6d/0xd0
+[    4.574022]  device_driver_attach+0x82/0x90
+[    4.574249]  ? device_driver_attach+0x90/0x90
+[    4.574485]  __driver_attach+0x60/0x100
+[    4.574694]  ? device_driver_attach+0x90/0x90
+[    4.574931]  bus_for_each_dev+0xe1/0x140
+[    4.575146]  ? subsys_dev_iter_exit+0x10/0x10
+[    4.575387]  ? klist_node_init+0x61/0x80
+[    4.575602]  bus_add_driver+0x254/0x2a0
+[    4.575812]  driver_register+0xd3/0x150
+[    4.576021]  ? 0xffffffffc0018000
+[    4.576202]  do_one_initcall+0x84/0x250
+[    4.576411]  ? trace_event_raw_event_initcall_finish+0x150/0x150
+[    4.576733]  ? unpoison_range+0xf/0x30
+[    4.576938]  ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[    4.577219]  ? unpoison_range+0xf/0x30
+[    4.577423]  ? unpoison_range+0xf/0x30
+[    4.577628]  do_init_module+0xf8/0x350
+[    4.577833]  load_module+0x3fe6/0x4340
+[    4.578038]  ? vm_unmap_ram+0x1d0/0x1d0
+[    4.578247]  ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[    4.578526]  ? module_frob_arch_sections+0x20/0x20
+[    4.578787]  ? __do_sys_finit_module+0x108/0x170
+[    4.579037]  __do_sys_finit_module+0x108/0x170
+[    4.579278]  ? __ia32_sys_init_module+0x40/0x40
+[    4.579523]  ? file_open_root+0x200/0x200
+[    4.579742]  ? do_sys_open+0x85/0xe0
+[    4.579938]  ? filp_open+0x50/0x50
+[    4.580125]  ? exit_to_user_mode_prepare+0xfc/0x130
+[    4.580390]  do_syscall_64+0x33/0x40
+[    4.580586]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[    4.580859] RIP: 0033:0x7f1a724c3cf7
+[    4.581054] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 48 891
+[    4.582043] RSP: 002b:00007fff44941c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[    4.582447] RAX: ffffffffffffffda RBX: 00000000012ada70 RCX: 00007f1a724c3cf7
+[    4.582827] RDX: 0000000000000000 RSI: 00000000012ac9e0 RDI: 0000000000000003
+[    4.583207] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000001
+[    4.583587] R10: 00007f1a72527300 R11: 0000000000000246 R12: 00000000012ac9e0
+[    4.583968] R13: 0000000000000000 R14: 00000000012acc90 R15: 0000000000000001
+[    4.584349] ==================================================================
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lmc/lmc_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wan/lmc/lmc_main.c b/drivers/net/wan/lmc/lmc_main.c
+index 04b60ed59ea0..4253ccb79975 100644
+--- a/drivers/net/wan/lmc/lmc_main.c
++++ b/drivers/net/wan/lmc/lmc_main.c
+@@ -923,6 +923,8 @@ static int lmc_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+         break;
+     default:
+ 	printk(KERN_WARNING "%s: LMC UNKNOWN CARD!\n", dev->name);
++	unregister_hdlc_device(dev);
++	return -EIO;
+         break;
+     }
+ 
+-- 
+2.30.1
+
diff --git a/queue-4.9/series b/queue-4.9/series
index 5cd06bc9dc7..2e321132f5b 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -13,3 +13,5 @@ staging-comedi-cb_pcidas-fix-request_irq-warn.patch
 staging-comedi-cb_pcidas64-fix-request_irq-warn.patch
 asoc-rt5659-update-mclk-rate-in-set_sysclk.patch
 ext4-do-not-iput-inode-under-running-transaction-in-.patch
+appletalk-fix-skb-allocation-size-in-loopback-case.patch
+net-wan-lmc-unregister-device-when-no-matching-devic.patch