From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 12 Apr 2021 07:32:24 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.187~16
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6bd25ae0c42353c650f2c37680013997252c6951;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
	drivers-net-fix-memory-leak-in-atusb_probe.patch
	drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
	net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
---

diff --git a/queue-5.10/cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch b/queue-5.10/cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
new file mode 100644
index 00000000000..b6b7034c933
--- /dev/null
+++ b/queue-5.10/cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
@@ -0,0 +1,36 @@
+From 1b5ab825d9acc0f27d2f25c6252f3526832a9626 Mon Sep 17 00:00:00 2001
+From: Du Cheng <ducheng2@gmail.com>
+Date: Thu, 8 Apr 2021 00:27:56 +0800
+Subject: cfg80211: remove WARN_ON() in cfg80211_sme_connect
+
+From: Du Cheng <ducheng2@gmail.com>
+
+commit 1b5ab825d9acc0f27d2f25c6252f3526832a9626 upstream.
+
+A WARN_ON(wdev->conn) would trigger in cfg80211_sme_connect(), if multiple
+send_msg(NL80211_CMD_CONNECT) system calls are made from the userland, which
+should be anticipated and handled by the wireless driver. Remove this WARN_ON()
+to prevent kernel panic if kernel is configured to "panic_on_warn".
+
+Bug reported by syzbot.
+
+Reported-by: syzbot+5f9392825de654244975@syzkaller.appspotmail.com
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Link: https://lore.kernel.org/r/20210407162756.6101-1-ducheng2@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/sme.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -530,7 +530,7 @@ static int cfg80211_sme_connect(struct w
+ 		cfg80211_sme_free(wdev);
+ 	}
+ 
+-	if (WARN_ON(wdev->conn))
++	if (wdev->conn)
+ 		return -EINPROGRESS;
+ 
+ 	wdev->conn = kzalloc(sizeof(*wdev->conn), GFP_KERNEL);
diff --git a/queue-5.10/drivers-net-fix-memory-leak-in-atusb_probe.patch b/queue-5.10/drivers-net-fix-memory-leak-in-atusb_probe.patch
new file mode 100644
index 00000000000..4d318fe3af6
--- /dev/null
+++ b/queue-5.10/drivers-net-fix-memory-leak-in-atusb_probe.patch
@@ -0,0 +1,38 @@
+From 6b9fbe16955152626557ec6f439f3407b7769941 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 1 Apr 2021 07:46:24 +0300
+Subject: drivers: net: fix memory leak in atusb_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 6b9fbe16955152626557ec6f439f3407b7769941 upstream.
+
+syzbot reported memory leak in atusb_probe()[1].
+The problem was in atusb_alloc_urbs().
+Since urb is anchored, we need to release the reference
+to correctly free the urb
+
+backtrace:
+    [<ffffffff82ba0466>] kmalloc include/linux/slab.h:559 [inline]
+    [<ffffffff82ba0466>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74
+    [<ffffffff82ad3888>] atusb_alloc_urbs drivers/net/ieee802154/atusb.c:362 [inline][2]
+    [<ffffffff82ad3888>] atusb_probe+0x158/0x820 drivers/net/ieee802154/atusb.c:1038 [1]
+
+Reported-by: syzbot+28a246747e0a465127f3@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/atusb.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -365,6 +365,7 @@ static int atusb_alloc_urbs(struct atusb
+ 			return -ENOMEM;
+ 		}
+ 		usb_anchor_urb(urb, &atusb->idle_urbs);
++		usb_free_urb(urb);
+ 		n--;
+ 	}
+ 	return 0;
diff --git a/queue-5.10/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch b/queue-5.10/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
new file mode 100644
index 00000000000..fedc942c33b
--- /dev/null
+++ b/queue-5.10/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch
@@ -0,0 +1,52 @@
+From a0b96b4a62745397aee662670cfc2157bac03f55 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 1 Apr 2021 16:27:52 +0300
+Subject: drivers: net: fix memory leak in peak_usb_create_dev
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit a0b96b4a62745397aee662670cfc2157bac03f55 upstream.
+
+syzbot reported memory leak in peak_usb.
+The problem was in case of failure after calling
+->dev_init()[2] in peak_usb_create_dev()[1]. The data
+allocated int dev_init() wasn't freed, so simple
+->dev_free() call fix this problem.
+
+backtrace:
+    [<0000000079d6542a>] kmalloc include/linux/slab.h:552 [inline]
+    [<0000000079d6542a>] kzalloc include/linux/slab.h:682 [inline]
+    [<0000000079d6542a>] pcan_usb_fd_init+0x156/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:868   [2]
+    [<00000000c09f9057>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:851 [inline] [1]
+    [<00000000c09f9057>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:949
+
+Reported-by: syzbot+91adee8d9ebb9193d22d@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -856,7 +856,7 @@ static int peak_usb_create_dev(const str
+ 	if (dev->adapter->dev_set_bus) {
+ 		err = dev->adapter->dev_set_bus(dev, 0);
+ 		if (err)
+-			goto lbl_unregister_candev;
++			goto adap_dev_free;
+ 	}
+ 
+ 	/* get device number early */
+@@ -868,6 +868,10 @@ static int peak_usb_create_dev(const str
+ 
+ 	return 0;
+ 
++adap_dev_free:
++	if (dev->adapter->dev_free)
++		dev->adapter->dev_free(dev);
++
+ lbl_unregister_candev:
+ 	unregister_candev(netdev);
+ 
diff --git a/queue-5.10/net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch b/queue-5.10/net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
new file mode 100644
index 00000000000..da6689586d8
--- /dev/null
+++ b/queue-5.10/net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
@@ -0,0 +1,96 @@
+From cca8ea3b05c972ffb5295367e6c544369b45fbdd Mon Sep 17 00:00:00 2001
+From: Phillip Potter <phil@philpotter.co.uk>
+Date: Tue, 6 Apr 2021 18:45:54 +0100
+Subject: net: tun: set tun->dev->addr_len during TUNSETLINK processing
+
+From: Phillip Potter <phil@philpotter.co.uk>
+
+commit cca8ea3b05c972ffb5295367e6c544369b45fbdd upstream.
+
+When changing type with TUNSETLINK ioctl command, set tun->dev->addr_len
+to match the appropriate type, using new tun_get_addr_len utility function
+which returns appropriate address length for given type. Fixes a
+KMSAN-found uninit-value bug reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=0766d38c656abeace60621896d705743aeefed51
+
+Reported-by: syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com
+Diagnosed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c |   48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -69,6 +69,14 @@
+ #include <linux/bpf.h>
+ #include <linux/bpf_trace.h>
+ #include <linux/mutex.h>
++#include <linux/ieee802154.h>
++#include <linux/if_ltalk.h>
++#include <uapi/linux/if_fddi.h>
++#include <uapi/linux/if_hippi.h>
++#include <uapi/linux/if_fc.h>
++#include <net/ax25.h>
++#include <net/rose.h>
++#include <net/6lowpan.h>
+ 
+ #include <linux/uaccess.h>
+ #include <linux/proc_fs.h>
+@@ -2978,6 +2986,45 @@ static int tun_set_ebpf(struct tun_struc
+ 	return __tun_set_ebpf(tun, prog_p, prog);
+ }
+ 
++/* Return correct value for tun->dev->addr_len based on tun->dev->type. */
++static unsigned char tun_get_addr_len(unsigned short type)
++{
++	switch (type) {
++	case ARPHRD_IP6GRE:
++	case ARPHRD_TUNNEL6:
++		return sizeof(struct in6_addr);
++	case ARPHRD_IPGRE:
++	case ARPHRD_TUNNEL:
++	case ARPHRD_SIT:
++		return 4;
++	case ARPHRD_ETHER:
++		return ETH_ALEN;
++	case ARPHRD_IEEE802154:
++	case ARPHRD_IEEE802154_MONITOR:
++		return IEEE802154_EXTENDED_ADDR_LEN;
++	case ARPHRD_PHONET_PIPE:
++	case ARPHRD_PPP:
++	case ARPHRD_NONE:
++		return 0;
++	case ARPHRD_6LOWPAN:
++		return EUI64_ADDR_LEN;
++	case ARPHRD_FDDI:
++		return FDDI_K_ALEN;
++	case ARPHRD_HIPPI:
++		return HIPPI_ALEN;
++	case ARPHRD_IEEE802:
++		return FC_ALEN;
++	case ARPHRD_ROSE:
++		return ROSE_ADDR_LEN;
++	case ARPHRD_NETROM:
++		return AX25_ADDR_LEN;
++	case ARPHRD_LOCALTLK:
++		return LTALK_ALEN;
++	default:
++		return 0;
++	}
++}
++
+ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+ 			    unsigned long arg, int ifreq_len)
+ {
+@@ -3133,6 +3180,7 @@ static long __tun_chr_ioctl(struct file
+ 			ret = -EBUSY;
+ 		} else {
+ 			tun->dev->type = (int) arg;
++			tun->dev->addr_len = tun_get_addr_len(tun->dev->type);
+ 			netif_info(tun, drv, tun->dev, "linktype set to %d\n",
+ 				   tun->dev->type);
+ 			ret = 0;
diff --git a/queue-5.10/series b/queue-5.10/series
index 94a3ac2bd5b..e73cb5eb2c1 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -172,3 +172,7 @@ lockdep-address-clang-wformat-warning-printing-for-hd.patch
 dt-bindings-net-ethernet-controller-fix-typo-in-nvmem.patch
 net-sched-bump-refcount-for-new-action-in-act-replace-mode.patch
 gpiolib-read-gpio-line-names-from-a-firmware-node.patch
+cfg80211-remove-warn_on-in-cfg80211_sme_connect.patch
+net-tun-set-tun-dev-addr_len-during-tunsetlink-processing.patch
+drivers-net-fix-memory-leak-in-atusb_probe.patch
+drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch