From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 25 Oct 2021 14:09:14 +0000 (+0200)
Subject: 5.14-stable patches
X-Git-Tag: v4.4.290~21
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7d218e9544207d0b786609afde99e95330367335;p=thirdparty%2Fkernel%2Fstable-queue.git

5.14-stable patches

added patches:
	bpf-test-cgroup-use-sk_-alloc-free-for-test-cases.patch
	net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
	usbnet-sanity-check-for-maxpacket.patch
---

diff --git a/queue-5.14/bpf-test-cgroup-use-sk_-alloc-free-for-test-cases.patch b/queue-5.14/bpf-test-cgroup-use-sk_-alloc-free-for-test-cases.patch
new file mode 100644
index 00000000000..cd229811fa4
--- /dev/null
+++ b/queue-5.14/bpf-test-cgroup-use-sk_-alloc-free-for-test-cases.patch
@@ -0,0 +1,80 @@
+From 435b08ec0094ac1e128afe6cfd0d9311a8c617a7 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Mon, 27 Sep 2021 14:39:21 +0200
+Subject: bpf, test, cgroup: Use sk_{alloc,free} for test cases
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 435b08ec0094ac1e128afe6cfd0d9311a8c617a7 upstream.
+
+BPF test infra has some hacks in place which kzalloc() a socket and perform
+minimum init via sock_net_set() and sock_init_data(). As a result, the sk's
+skcd->cgroup is NULL since it didn't go through proper initialization as it
+would have been the case from sk_alloc(). Rather than re-adding a NULL test
+in sock_cgroup_ptr() just for this, use sk_{alloc,free}() pair for the test
+socket. The latter also allows to get rid of the bpf_sk_storage_free() special
+case.
+
+Fixes: 8520e224f547 ("bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode")
+Fixes: b7a1848e8398 ("bpf: add BPF_PROG_TEST_RUN support for flow dissector")
+Fixes: 2cb494a36c98 ("bpf: add tests for direct packet access from CGROUP_SKB")
+Reported-by: syzbot+664b58e9a40fbb2cec71@syzkaller.appspotmail.com
+Reported-by: syzbot+33f36d0754d4c5c0e102@syzkaller.appspotmail.com
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Tested-by: syzbot+664b58e9a40fbb2cec71@syzkaller.appspotmail.com
+Tested-by: syzbot+33f36d0754d4c5c0e102@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/bpf/20210927123921.21535-2-daniel@iogearbox.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bpf/test_run.c |   14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/net/bpf/test_run.c
++++ b/net/bpf/test_run.c
+@@ -552,6 +552,12 @@ static void convert_skb_to___skb(struct
+ 	__skb->gso_segs = skb_shinfo(skb)->gso_segs;
+ }
+ 
++static struct proto bpf_dummy_proto = {
++	.name   = "bpf_dummy",
++	.owner  = THIS_MODULE,
++	.obj_size = sizeof(struct sock),
++};
++
+ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
+ 			  union bpf_attr __user *uattr)
+ {
+@@ -596,20 +602,19 @@ int bpf_prog_test_run_skb(struct bpf_pro
+ 		break;
+ 	}
+ 
+-	sk = kzalloc(sizeof(struct sock), GFP_USER);
++	sk = sk_alloc(net, AF_UNSPEC, GFP_USER, &bpf_dummy_proto, 1);
+ 	if (!sk) {
+ 		kfree(data);
+ 		kfree(ctx);
+ 		return -ENOMEM;
+ 	}
+-	sock_net_set(sk, net);
+ 	sock_init_data(NULL, sk);
+ 
+ 	skb = build_skb(data, 0);
+ 	if (!skb) {
+ 		kfree(data);
+ 		kfree(ctx);
+-		kfree(sk);
++		sk_free(sk);
+ 		return -ENOMEM;
+ 	}
+ 	skb->sk = sk;
+@@ -682,8 +687,7 @@ out:
+ 	if (dev && dev != net->loopback_dev)
+ 		dev_put(dev);
+ 	kfree_skb(skb);
+-	bpf_sk_storage_free(sk);
+-	kfree(sk);
++	sk_free(sk);
+ 	kfree(ctx);
+ 	return ret;
+ }
diff --git a/queue-5.14/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch b/queue-5.14/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
new file mode 100644
index 00000000000..48dcd4cbd0b
--- /dev/null
+++ b/queue-5.14/net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
@@ -0,0 +1,89 @@
+From ab609f25d19858513919369ff3d9a63c02cd9e2e Mon Sep 17 00:00:00 2001
+From: Yanfei Xu <yanfei.xu@windriver.com>
+Date: Sun, 26 Sep 2021 12:53:13 +0800
+Subject: net: mdiobus: Fix memory leak in __mdiobus_register
+
+From: Yanfei Xu <yanfei.xu@windriver.com>
+
+commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream.
+
+Once device_register() failed, we should call put_device() to
+decrement reference count for cleanup. Or it will cause memory
+leak.
+
+BUG: memory leak
+unreferenced object 0xffff888114032e00 (size 256):
+  comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff  ................
+    08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff  .........ve.....
+  backtrace:
+    [<ffffffff8265cfab>] kmalloc include/linux/slab.h:591 [inline]
+    [<ffffffff8265cfab>] kzalloc include/linux/slab.h:721 [inline]
+    [<ffffffff8265cfab>] device_private_init drivers/base/core.c:3203 [inline]
+    [<ffffffff8265cfab>] device_add+0x89b/0xdf0 drivers/base/core.c:3253
+    [<ffffffff828dd643>] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537
+    [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
+    [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
+    [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
+    [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
+    [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+    [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
+    [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
+    [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
+    [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
+    [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
+    [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
+    [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+    [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
+    [<ffffffff82660916>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
+    [<ffffffff8265cd0b>] device_add+0x5fb/0xdf0 drivers/base/core.c:3359
+    [<ffffffff82c343b9>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170
+    [<ffffffff82c4473c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
+
+BUG: memory leak
+unreferenced object 0xffff888116f06900 (size 32):
+  comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s)
+  hex dump (first 32 bytes):
+    75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00  usb-001:003.....
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff81484516>] kstrdup+0x36/0x70 mm/util.c:60
+    [<ffffffff814845a3>] kstrdup_const+0x53/0x80 mm/util.c:83
+    [<ffffffff82296ba2>] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
+    [<ffffffff82358d4b>] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
+    [<ffffffff826575f3>] dev_set_name+0x63/0x90 drivers/base/core.c:3147
+    [<ffffffff828dd63b>] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535
+    [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
+    [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
+    [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
+    [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
+    [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
+    [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
+    [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
+    [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
+    [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
+    [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
+    [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
+    [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
+    [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
+
+Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
+Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -548,6 +548,7 @@ int __mdiobus_register(struct mii_bus *b
+ 	err = device_register(&bus->dev);
+ 	if (err) {
+ 		pr_err("mii_bus %s failed to register\n", bus->id);
++		put_device(&bus->dev);
+ 		return -EINVAL;
+ 	}
+ 
diff --git a/queue-5.14/series b/queue-5.14/series
index d4934a50bc7..d608e5a133a 100644
--- a/queue-5.14/series
+++ b/queue-5.14/series
@@ -161,3 +161,6 @@ autofs-fix-wait-name-hash-calculation-in-autofs_wait.patch
 scsi-core-fix-shost-cmd_per_lun-calculation-in-scsi_add_host_with_dma.patch
 s390-pci-cleanup-resources-only-if-necessary.patch
 s390-pci-fix-zpci_zdev_put-on-reserve.patch
+bpf-test-cgroup-use-sk_-alloc-free-for-test-cases.patch
+usbnet-sanity-check-for-maxpacket.patch
+net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
diff --git a/queue-5.14/usbnet-sanity-check-for-maxpacket.patch b/queue-5.14/usbnet-sanity-check-for-maxpacket.patch
new file mode 100644
index 00000000000..4a4f6a4bdc9
--- /dev/null
+++ b/queue-5.14/usbnet-sanity-check-for-maxpacket.patch
@@ -0,0 +1,37 @@
+From 397430b50a363d8b7bdda00522123f82df6adc5e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 21 Oct 2021 14:29:44 +0200
+Subject: usbnet: sanity check for maxpacket
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.
+
+maxpacket of 0 makes no sense and oopses as we need to divide
+by it. Give up.
+
+V2: fixed typo in log and stylistic issues
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1788,6 +1788,10 @@ usbnet_probe (struct usb_interface *udev
+ 	if (!dev->rx_urb_size)
+ 		dev->rx_urb_size = dev->hard_mtu;
+ 	dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
++	if (dev->maxpacket == 0) {
++		/* that is a broken device */
++		goto out4;
++	}
+ 
+ 	/* let userspace know we have a random address */
+ 	if (ether_addr_equal(net->dev_addr, node_id))