* [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect()
@ 2019-11-22 19:49 Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 02/13] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Sasha Levin
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Al Viro, Sasha Levin
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 03ad0d703df75c43f78bd72e16124b5b94a95188 ]
if the second call of should_expire() in there ends up
grabbing and returning a new reference to dentry, we need
to drop it before continuing.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/autofs4/expire.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
index 2e1f50e467f15..02f0d373adbf7 100644
--- a/fs/autofs4/expire.c
+++ b/fs/autofs4/expire.c
@@ -469,9 +469,10 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb,
*/
flags &= ~AUTOFS_EXP_LEAVES;
found = should_expire(expired, mnt, timeout, how);
- if (!found || found != expired)
- /* Something has changed, continue */
+ if (found != expired) { // something has changed, continue
+ dput(found);
goto next;
+ }
if (expired != dentry)
dput(dentry);
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 02/13] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 03/13] exportfs_decode_fh(): negative pinned may become positive without the parent locked Sasha Levin
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Sirong Wang, Weihang Li, Jason Gunthorpe, Sasha Levin, linux-rdma
From: Sirong Wang <wangsirong@huawei.com>
[ Upstream commit 531eb45b3da4267fc2a64233ba256c8ffb02edd2 ]
Size of pointer to buf field of struct hns_roce_hem_chunk should be
considered when calculating HNS_ROCE_HEM_CHUNK_LEN, or sg table size will
be larger than expected when allocating hem.
Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
Link: https://lore.kernel.org/r/1572575610-52530-2-git-send-email-liweihang@hisilicon.com
Signed-off-by: Sirong Wang <wangsirong@huawei.com>
Signed-off-by: Weihang Li <liweihang@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h
index 435748858252d..8e8917ebb013b 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.h
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.h
@@ -52,7 +52,7 @@ enum {
#define HNS_ROCE_HEM_CHUNK_LEN \
((256 - sizeof(struct list_head) - 2 * sizeof(int)) / \
- (sizeof(struct scatterlist)))
+ (sizeof(struct scatterlist) + sizeof(void *)))
enum {
HNS_ROCE_HEM_PAGE_SHIFT = 12,
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 03/13] exportfs_decode_fh(): negative pinned may become positive without the parent locked
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 02/13] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 04/13] audit_get_nd(): don't unlock parent too early Sasha Levin
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Al Viro, Sasha Levin
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit a2ece088882666e1dc7113744ac912eb161e3f87 ]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/exportfs/expfs.c | 31 +++++++++++++++++++------------
1 file changed, 19 insertions(+), 12 deletions(-)
diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
index 7a7bba7c23284..3706939e5dd5e 100644
--- a/fs/exportfs/expfs.c
+++ b/fs/exportfs/expfs.c
@@ -506,26 +506,33 @@ struct dentry *exportfs_decode_fh(struct vfsmount *mnt, struct fid *fid,
* inode is actually connected to the parent.
*/
err = exportfs_get_name(mnt, target_dir, nbuf, result);
- if (!err) {
- inode_lock(target_dir->d_inode);
- nresult = lookup_one_len(nbuf, target_dir,
- strlen(nbuf));
- inode_unlock(target_dir->d_inode);
- if (!IS_ERR(nresult)) {
- if (nresult->d_inode) {
- dput(result);
- result = nresult;
- } else
- dput(nresult);
- }
+ if (err) {
+ dput(target_dir);
+ goto err_result;
}
+ inode_lock(target_dir->d_inode);
+ nresult = lookup_one_len(nbuf, target_dir, strlen(nbuf));
+ if (!IS_ERR(nresult)) {
+ if (unlikely(nresult->d_inode != result->d_inode)) {
+ dput(nresult);
+ nresult = ERR_PTR(-ESTALE);
+ }
+ }
+ inode_unlock(target_dir->d_inode);
/*
* At this point we are done with the parent, but it's pinned
* by the child dentry anyway.
*/
dput(target_dir);
+ if (IS_ERR(nresult)) {
+ err = PTR_ERR(nresult);
+ goto err_result;
+ }
+ dput(result);
+ result = nresult;
+
/*
* And finally make sure the dentry is actually acceptable
* to NFSD.
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 04/13] audit_get_nd(): don't unlock parent too early
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 02/13] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 03/13] exportfs_decode_fh(): negative pinned may become positive without the parent locked Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 05/13] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Al Viro, Sasha Levin, linux-audit
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 69924b89687a2923e88cc42144aea27868913d0e ]
if the child has been negative and just went positive
under us, we want coherent d_is_positive() and ->d_inode.
Don't unlock the parent until we'd done that work...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/audit_watch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index f036b6ada6efc..712469a3103ac 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -365,12 +365,12 @@ static int audit_get_nd(struct audit_watch *watch, struct path *parent)
struct dentry *d = kern_path_locked(watch->path, parent);
if (IS_ERR(d))
return PTR_ERR(d);
- inode_unlock(d_backing_inode(parent->dentry));
if (d_is_positive(d)) {
/* update watch filter fields */
watch->dev = d->d_sb->s_dev;
watch->ino = d_backing_inode(d)->i_ino;
}
+ inode_unlock(d_backing_inode(parent->dentry));
dput(d);
return 0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 05/13] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (2 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 04/13] audit_get_nd(): don't unlock parent too early Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 06/13] Input: cyttsp4_core - fix use after free bug Sasha Levin
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Stephan Gerhold, Andy Shevchenko, David S . Miller, Sasha Levin,
linux-nfc, netdev
From: Stephan Gerhold <stephan@gerhold.net>
[ Upstream commit a71a29f50de1ef97ab55c151a1598eb12dde379d ]
I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci
result in a NULL pointer dereference at the moment:
BUG: kernel NULL pointer dereference, address: 0000000000000000
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1
RIP: 0010:skb_queue_tail+0x25/0x50
Call Trace:
nci_recv_frame+0x36/0x90 [nci]
nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c]
? preempt_count_add+0x68/0xa0
? irq_forced_thread_fn+0x80/0x80
irq_thread_fn+0x20/0x60
irq_thread+0xee/0x180
? wake_threads_waitq+0x30/0x30
kthread+0xfb/0x130
? irq_thread_check_affinity+0xd0/0xd0
? kthread_park+0x90/0x90
ret_from_fork+0x1f/0x40
Afterward the kernel must be rebooted to work properly again.
This happens because it attempts to call nci_recv_frame() with skb == NULL.
However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any
NULL checks for skb, causing the NULL pointer dereference.
Change the code to call only nxp_nci_fw_recv_frame() in case of an error.
Make sure to log it so it is obvious that a communication error occurred.
The error above then becomes:
nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
nci: __nci_request: wait_for_completion_interruptible_timeout failed 0
nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/nxp-nci/i2c.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
index 06a157c63416a..7eab97585f22b 100644
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -238,8 +238,10 @@ static irqreturn_t nxp_nci_i2c_irq_thread_fn(int irq, void *phy_id)
if (r == -EREMOTEIO) {
phy->hard_fault = r;
- skb = NULL;
- } else if (r < 0) {
+ if (info->mode == NXP_NCI_MODE_FW)
+ nxp_nci_fw_recv_frame(phy->ndev, NULL);
+ }
+ if (r < 0) {
nfc_err(&client->dev, "Read failed with error %d\n", r);
goto exit_irq_handled;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 06/13] Input: cyttsp4_core - fix use after free bug
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (3 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 05/13] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 07/13] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Sasha Levin
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Pan Bian, Dmitry Torokhov, Sasha Levin, linux-input
From: Pan Bian <bianpan2016@163.com>
[ Upstream commit 79aae6acbef16f720a7949f8fc6ac69816c79d62 ]
The device md->input is used after it is released. Setting the device
data to NULL is unnecessary as the device is never used again. Instead,
md->input should be assigned NULL to avoid accessing the freed memory
accidently. Besides, checking md->si against NULL is superfluous as it
points to a variable address, which cannot be NULL.
Signed-off-by: Pan Bian <bianpan2016@163.com>
Link: https://lore.kernel.org/r/1572936379-6423-1-git-send-email-bianpan2016@163.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/touchscreen/cyttsp4_core.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c
index 44deca88c5797..c1c29d7487bf3 100644
--- a/drivers/input/touchscreen/cyttsp4_core.c
+++ b/drivers/input/touchscreen/cyttsp4_core.c
@@ -1972,11 +1972,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd)
/* get sysinfo */
md->si = &cd->sysinfo;
- if (!md->si) {
- dev_err(dev, "%s: Fail get sysinfo pointer from core p=%p\n",
- __func__, md->si);
- goto error_get_sysinfo;
- }
rc = cyttsp4_setup_input_device(cd);
if (rc)
@@ -1986,8 +1981,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd)
error_init_input:
input_free_device(md->input);
-error_get_sysinfo:
- input_set_drvdata(md->input, NULL);
error_alloc_failed:
dev_err(dev, "%s failed.\n", __func__);
return rc;
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 07/13] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (4 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 06/13] Input: cyttsp4_core - fix use after free bug Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 08/13] slip: Fix memory leak in slip_open error path Sasha Levin
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: paulhsia, Takashi Iwai, Sasha Levin, alsa-devel
From: paulhsia <paulhsia@chromium.org>
[ Upstream commit f5cdc9d4003a2f66ea57b3edd3e04acc2b1a4439 ]
If the nullity check for `substream->runtime` is outside of the lock
region, it is possible to have a null runtime in the critical section
if snd_pcm_detach_substream is called right before the lock.
Signed-off-by: paulhsia <paulhsia@chromium.org>
Link: https://lore.kernel.org/r/20191112171715.128727-2-paulhsia@chromium.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/pcm_lib.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
index 3acb373674c37..f09ae7efc6957 100644
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1877,11 +1877,14 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
struct snd_pcm_runtime *runtime;
unsigned long flags;
- if (PCM_RUNTIME_CHECK(substream))
+ if (snd_BUG_ON(!substream))
return;
- runtime = substream->runtime;
snd_pcm_stream_lock_irqsave(substream, flags);
+ if (PCM_RUNTIME_CHECK(substream))
+ goto _unlock;
+ runtime = substream->runtime;
+
if (!snd_pcm_running(substream) ||
snd_pcm_update_hw_ptr0(substream, 1) < 0)
goto _end;
@@ -1892,6 +1895,7 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
#endif
_end:
kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
+ _unlock:
snd_pcm_stream_unlock_irqrestore(substream, flags);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 08/13] slip: Fix memory leak in slip_open error path
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (5 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 07/13] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 09/13] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jouni Hogander, David S. Miller, Oliver Hartkopp, Lukas Bulwahn,
Sasha Levin, netdev
From: Jouni Hogander <jouni.hogander@unikie.com>
[ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ]
Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
by Syzkaller in slcan. Same issue exists in slip.c and this patch is
addressing the leak in slip.c.
Here is the slcan memory leak trace reported by Syzkaller:
BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
hex dump (first 32 bytes):
73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
[<0000000083306e66>] kvmalloc_node+0x3a/0xc0
[<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
[<0000000061a996c9>] slcan_open+0x3ae/0x9a0
[<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
[<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
[<000000004de5a617>] tty_ioctl+0x48d/0x1590
[<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
[<0000000059068dbc>] ksys_ioctl+0x99/0xb0
[<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
[<0000000053d0332e>] do_syscall_64+0x16f/0x580
[<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<000000008ea75434>] 0xfffffffffffffff
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/slip/slip.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index 9ed6d1c1ee45f..b2317b3a542a0 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -860,6 +860,7 @@ static int slip_open(struct tty_struct *tty)
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, &sl->flags);
+ free_netdev(sl->dev);
err_exit:
rtnl_unlock();
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 09/13] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (6 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 08/13] slip: Fix memory leak in slip_open error path Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 10/13] slcan: Fix memory leak in error path Sasha Levin
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Dan Carpenter, David S . Miller, Sasha Levin, linux-usb, netdev
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit a56dcc6b455830776899ce3686735f1172e12243 ]
This code is supposed to test for negative error codes and partial
reads, but because sizeof() is size_t (unsigned) type then negative
error codes are type promoted to high positive values and the condition
doesn't work as expected.
Fixes: 332f989a3b00 ("CDC-NCM: handle incomplete transfer of MTU")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/cdc_ncm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index cbb9b4343d1ea..be4e56826daf6 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -577,7 +577,7 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
- if (err < sizeof(max_datagram_size)) {
+ if (err != sizeof(max_datagram_size)) {
dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
goto out;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 10/13] slcan: Fix memory leak in error path
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (7 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 09/13] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 11/13] rsxx: add missed destroy_workqueue calls in remove Sasha Levin
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jouni Hogander, Wolfgang Grandegger, Marc Kleine-Budde,
Lukas Bulwahn, Sasha Levin, linux-can, netdev
From: Jouni Hogander <jouni.hogander@unikie.com>
[ Upstream commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed ]
This patch is fixing memory leak reported by Syzkaller:
BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
hex dump (first 32 bytes):
73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
[<0000000083306e66>] kvmalloc_node+0x3a/0xc0
[<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
[<0000000061a996c9>] slcan_open+0x3ae/0x9a0
[<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
[<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
[<000000004de5a617>] tty_ioctl+0x48d/0x1590
[<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
[<0000000059068dbc>] ksys_ioctl+0x99/0xb0
[<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
[<0000000053d0332e>] do_syscall_64+0x16f/0x580
[<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<000000008ea75434>] 0xffffffffffffffff
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/slcan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
index eb7173713bbcb..a2c4048c07bec 100644
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -613,6 +613,7 @@ static int slcan_open(struct tty_struct *tty)
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, &sl->flags);
+ free_netdev(sl->dev);
err_exit:
rtnl_unlock();
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 11/13] rsxx: add missed destroy_workqueue calls in remove
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (8 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 10/13] slcan: Fix memory leak in error path Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 12/13] ax88172a: fix information leak on short answers Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 13/13] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Chuhong Yuan, Jens Axboe, Sasha Levin, linux-block
From: Chuhong Yuan <hslester96@gmail.com>
[ Upstream commit dcb77e4b274b8f13ac6482dfb09160cd2fae9a40 ]
The driver misses calling destroy_workqueue in remove like what is done
when probe fails.
Add the missed calls to fix it.
Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/rsxx/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
index 34997df132e24..6beafaa335c71 100644
--- a/drivers/block/rsxx/core.c
+++ b/drivers/block/rsxx/core.c
@@ -1025,8 +1025,10 @@ static void rsxx_pci_remove(struct pci_dev *dev)
cancel_work_sync(&card->event_work);
+ destroy_workqueue(card->event_wq);
rsxx_destroy_dev(card);
rsxx_dma_destroy(card);
+ destroy_workqueue(card->creg_ctrl.creg_wq);
spin_lock_irqsave(&card->irq_lock, flags);
rsxx_disable_ier_and_isr(card, CR_INTR_ALL);
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 12/13] ax88172a: fix information leak on short answers
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (9 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 11/13] rsxx: add missed destroy_workqueue calls in remove Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 13/13] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Oliver Neukum, syzbot+a8d4acdad35e6bbca308, David S . Miller,
Sasha Levin, linux-usb, netdev
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ]
If a malicious device gives a short MAC it can elicit up to
5 bytes of leaked memory out of the driver. We need to check for
ETH_ALEN instead.
Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/ax88172a.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
index 49a3bc107d054..2c50497cc4edc 100644
--- a/drivers/net/usb/ax88172a.c
+++ b/drivers/net/usb/ax88172a.c
@@ -215,7 +215,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
/* Get the MAC address */
ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
- if (ret < 0) {
+ if (ret < ETH_ALEN) {
netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
goto free;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.9 13/13] net: ep93xx_eth: fix mismatch of request_mem_region in remove
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
` (10 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 12/13] ax88172a: fix information leak on short answers Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
11 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Chuhong Yuan, David S . Miller, Sasha Levin, netdev
From: Chuhong Yuan <hslester96@gmail.com>
[ Upstream commit 3df70afe8d33f4977d0e0891bdcfb639320b5257 ]
The driver calls release_resource in remove to match request_mem_region
in probe, which is incorrect.
Fix it by using the right one, release_mem_region.
Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cirrus/ep93xx_eth.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/cirrus/ep93xx_eth.c b/drivers/net/ethernet/cirrus/ep93xx_eth.c
index 9a161e9815297..24f69034f52c4 100644
--- a/drivers/net/ethernet/cirrus/ep93xx_eth.c
+++ b/drivers/net/ethernet/cirrus/ep93xx_eth.c
@@ -780,6 +780,7 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
{
struct net_device *dev;
struct ep93xx_priv *ep;
+ struct resource *mem;
dev = platform_get_drvdata(pdev);
if (dev == NULL)
@@ -795,8 +796,8 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
iounmap(ep->base_addr);
if (ep->res != NULL) {
- release_resource(ep->res);
- kfree(ep->res);
+ mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ release_mem_region(mem->start, resource_size(mem));
}
free_netdev(dev);
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2019-11-22 19:52 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-22 19:49 [PATCH AUTOSEL 4.9 01/13] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 02/13] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 03/13] exportfs_decode_fh(): negative pinned may become positive without the parent locked Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 04/13] audit_get_nd(): don't unlock parent too early Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 05/13] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 06/13] Input: cyttsp4_core - fix use after free bug Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 07/13] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 08/13] slip: Fix memory leak in slip_open error path Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 09/13] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 10/13] slcan: Fix memory leak in error path Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 11/13] rsxx: add missed destroy_workqueue calls in remove Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 12/13] ax88172a: fix information leak on short answers Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 13/13] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).