* [PATCH AUTOSEL 4.14 03/21] xfrm: Fix memleak on xfrm state destroy
[not found] <20191122194931.24732-1-sashal@kernel.org>
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 04/21] iwlwifi: pcie: don't consider IV len in A-MSDU Sasha Levin
` (8 subsequent siblings)
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Steffen Klassert, JD, Paul Wouters, Sasha Levin, netdev
From: Steffen Klassert <steffen.klassert@secunet.com>
[ Upstream commit 86c6739eda7d2a03f2db30cbee67a5fb81afa8ba ]
We leak the page that we use to create skb page fragments
when destroying the xfrm_state. Fix this by dropping a
page reference if a page was assigned to the xfrm_state.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Reported-by: JD <jdtxs00@gmail.com>
Reported-by: Paul Wouters <paul@nohats.ca>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index bd16e6882017e..190ca59d5ba31 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -449,6 +449,8 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
x->type->destructor(x);
xfrm_put_type(x->type);
}
+ if (x->xfrag.page)
+ put_page(x->xfrag.page);
xfrm_dev_state_free(x);
security_xfrm_state_free(x);
kfree(x);
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 04/21] iwlwifi: pcie: don't consider IV len in A-MSDU
[not found] <20191122194931.24732-1-sashal@kernel.org>
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 03/21] xfrm: Fix memleak on xfrm state destroy Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 07/21] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
` (7 subsequent siblings)
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Mordechay Goodstein, Luca Coelho, Kalle Valo, Sasha Levin,
linux-wireless, netdev
From: Mordechay Goodstein <mordechay.goodstein@intel.com>
[ Upstream commit cb1a4badf59275eb7221dcec621e8154917eabd1 ]
From gen2 PN is totally offloaded to hardware (also the space for the
IV isn't part of the skb). As you can see in mvm/mac80211.c:3545, the
MAC for cipher types CCMP/GCMP doesn't set
IEEE80211_KEY_FLAG_PUT_IV_SPACE for gen2 NICs.
This causes all the AMSDU data to be corrupted with cipher enabled.
Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 20 +++++++------------
1 file changed, 7 insertions(+), 13 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
index 6f45c8148b279..bbb39d6ec2ee3 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
@@ -232,27 +232,23 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
struct ieee80211_hdr *hdr = (void *)skb->data;
unsigned int snap_ip_tcp_hdrlen, ip_hdrlen, total_len, hdr_room;
unsigned int mss = skb_shinfo(skb)->gso_size;
- u16 length, iv_len, amsdu_pad;
+ u16 length, amsdu_pad;
u8 *start_hdr;
struct iwl_tso_hdr_page *hdr_page;
struct page **page_ptr;
struct tso_t tso;
- /* if the packet is protected, then it must be CCMP or GCMP */
- iv_len = ieee80211_has_protected(hdr->frame_control) ?
- IEEE80211_CCMP_HDR_LEN : 0;
-
trace_iwlwifi_dev_tx(trans->dev, skb, tfd, sizeof(*tfd),
&dev_cmd->hdr, start_len, 0);
ip_hdrlen = skb_transport_header(skb) - skb_network_header(skb);
snap_ip_tcp_hdrlen = 8 + ip_hdrlen + tcp_hdrlen(skb);
- total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len - iv_len;
+ total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len;
amsdu_pad = 0;
/* total amount of header we may need for this A-MSDU */
hdr_room = DIV_ROUND_UP(total_len, mss) *
- (3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr)) + iv_len;
+ (3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr));
/* Our device supports 9 segments at most, it will fit in 1 page */
hdr_page = get_page_hdr(trans, hdr_room);
@@ -263,14 +259,12 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
start_hdr = hdr_page->pos;
page_ptr = (void *)((u8 *)skb->cb + trans_pcie->page_offs);
*page_ptr = hdr_page->page;
- memcpy(hdr_page->pos, skb->data + hdr_len, iv_len);
- hdr_page->pos += iv_len;
/*
- * Pull the ieee80211 header + IV to be able to use TSO core,
+ * Pull the ieee80211 header to be able to use TSO core,
* we will restore it for the tx_status flow.
*/
- skb_pull(skb, hdr_len + iv_len);
+ skb_pull(skb, hdr_len);
/*
* Remove the length of all the headers that we don't actually
@@ -348,8 +342,8 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
}
}
- /* re -add the WiFi header and IV */
- skb_push(skb, hdr_len + iv_len);
+ /* re -add the WiFi header */
+ skb_push(skb, hdr_len);
return 0;
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 07/21] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
[not found] <20191122194931.24732-1-sashal@kernel.org>
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 03/21] xfrm: Fix memleak on xfrm state destroy Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 04/21] iwlwifi: pcie: don't consider IV len in A-MSDU Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 08/21] xfrm: release device reference for invalid state Sasha Levin
` (6 subsequent siblings)
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Stephan Gerhold, Andy Shevchenko, David S . Miller, Sasha Levin,
linux-nfc, netdev
From: Stephan Gerhold <stephan@gerhold.net>
[ Upstream commit a71a29f50de1ef97ab55c151a1598eb12dde379d ]
I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci
result in a NULL pointer dereference at the moment:
BUG: kernel NULL pointer dereference, address: 0000000000000000
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1
RIP: 0010:skb_queue_tail+0x25/0x50
Call Trace:
nci_recv_frame+0x36/0x90 [nci]
nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c]
? preempt_count_add+0x68/0xa0
? irq_forced_thread_fn+0x80/0x80
irq_thread_fn+0x20/0x60
irq_thread+0xee/0x180
? wake_threads_waitq+0x30/0x30
kthread+0xfb/0x130
? irq_thread_check_affinity+0xd0/0xd0
? kthread_park+0x90/0x90
ret_from_fork+0x1f/0x40
Afterward the kernel must be rebooted to work properly again.
This happens because it attempts to call nci_recv_frame() with skb == NULL.
However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any
NULL checks for skb, causing the NULL pointer dereference.
Change the code to call only nxp_nci_fw_recv_frame() in case of an error.
Make sure to log it so it is obvious that a communication error occurred.
The error above then becomes:
nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
nci: __nci_request: wait_for_completion_interruptible_timeout failed 0
nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/nxp-nci/i2c.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
index 198585bbc7711..d9492cffd00e5 100644
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -236,8 +236,10 @@ static irqreturn_t nxp_nci_i2c_irq_thread_fn(int irq, void *phy_id)
if (r == -EREMOTEIO) {
phy->hard_fault = r;
- skb = NULL;
- } else if (r < 0) {
+ if (info->mode == NXP_NCI_MODE_FW)
+ nxp_nci_fw_recv_frame(phy->ndev, NULL);
+ }
+ if (r < 0) {
nfc_err(&client->dev, "Read failed with error %d\n", r);
goto exit_irq_handled;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 08/21] xfrm: release device reference for invalid state
[not found] <20191122194931.24732-1-sashal@kernel.org>
` (2 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 07/21] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 12/21] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules Sasha Levin
` (5 subsequent siblings)
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Xiaodong Xu, Bo Chen, Steffen Klassert, Sasha Levin, netdev
From: Xiaodong Xu <stid.smth@gmail.com>
[ Upstream commit 4944a4b1077f74d89073624bd286219d2fcbfce3 ]
An ESP packet could be decrypted in async mode if the input handler for
this packet returns -EINPROGRESS in xfrm_input(). At this moment the device
reference in skb is held. Later xfrm_input() will be invoked again to
resume the processing.
If the transform state is still valid it would continue to release the
device reference and there won't be a problem; however if the transform
state is not valid when async resumption happens, the packet will be
dropped while the device reference is still being held.
When the device is deleted for some reason and the reference to this
device is not properly released, the kernel will keep logging like:
unregister_netdevice: waiting for ppp2 to become free. Usage count = 1
The issue is observed when running IPsec traffic over a PPPoE device based
on a bridge interface. By terminating the PPPoE connection on the server
end for multiple times, the PPPoE device on the client side will eventually
get stuck on the above warning message.
This patch will check the async mode first and continue to release device
reference in async resumption, before it is dropped due to invalid state.
v2: Do not assign address family from outer_mode in the transform if the
state is invalid
v3: Release device reference in the error path instead of jumping to resume
Fixes: 4ce3dbe397d7b ("xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)")
Signed-off-by: Xiaodong Xu <stid.smth@gmail.com>
Reported-by: Bo Chen <chenborfc@163.com>
Tested-by: Bo Chen <chenborfc@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_input.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 06dec32503bd6..6abcec0d65b1f 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -245,6 +245,9 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
else
XFRM_INC_STATS(net,
LINUX_MIB_XFRMINSTATEINVALID);
+
+ if (encap_type == -1)
+ dev_put(skb->dev);
goto drop;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 12/21] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules
[not found] <20191122194931.24732-1-sashal@kernel.org>
` (3 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 08/21] xfrm: release device reference for invalid state Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 13/21] slip: Fix memory leak in slip_open error path Sasha Levin
` (4 subsequent siblings)
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Aleksander Morgado, Bjørn Mork, David S . Miller,
Sasha Levin, netdev, linux-usb
From: Aleksander Morgado <aleksander@aleksander.es>
[ Upstream commit 802753cb0b141cf5170ab97fe7e79f5ca10d06b0 ]
These are the Foxconn-branded variants of the Dell DW5821e modules,
same USB layout as those.
The QMI interface is exposed in USB configuration #1:
P: Vendor=0489 ProdID=e0b4 Rev=03.18
S: Manufacturer=FII
S: Product=T77W968 LTE
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid
I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/qmi_wwan.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 8ed538295d090..4a984b76a60ec 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1295,6 +1295,8 @@ static const struct usb_device_id products[] = {
{QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
{QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */
{QMI_QUIRK_SET_DTR(0x2cb7, 0x0104, 4)}, /* Fibocom NL678 series */
+ {QMI_FIXED_INTF(0x0489, 0xe0b4, 0)}, /* Foxconn T77W968 LTE */
+ {QMI_FIXED_INTF(0x0489, 0xe0b5, 0)}, /* Foxconn T77W968 LTE with eSIM support*/
/* 4. Gobi 1000 devices */
{QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 13/21] slip: Fix memory leak in slip_open error path
[not found] <20191122194931.24732-1-sashal@kernel.org>
` (4 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 12/21] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 14/21] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
` (3 subsequent siblings)
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jouni Hogander, David S. Miller, Oliver Hartkopp, Lukas Bulwahn,
Sasha Levin, netdev
From: Jouni Hogander <jouni.hogander@unikie.com>
[ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ]
Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
by Syzkaller in slcan. Same issue exists in slip.c and this patch is
addressing the leak in slip.c.
Here is the slcan memory leak trace reported by Syzkaller:
BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
hex dump (first 32 bytes):
73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
[<0000000083306e66>] kvmalloc_node+0x3a/0xc0
[<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
[<0000000061a996c9>] slcan_open+0x3ae/0x9a0
[<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
[<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
[<000000004de5a617>] tty_ioctl+0x48d/0x1590
[<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
[<0000000059068dbc>] ksys_ioctl+0x99/0xb0
[<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
[<0000000053d0332e>] do_syscall_64+0x16f/0x580
[<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<000000008ea75434>] 0xfffffffffffffff
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/slip/slip.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index 436dd78c396a7..2901b7db9d2e1 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -859,6 +859,7 @@ static int slip_open(struct tty_struct *tty)
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, &sl->flags);
+ free_netdev(sl->dev);
err_exit:
rtnl_unlock();
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 14/21] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
[not found] <20191122194931.24732-1-sashal@kernel.org>
` (5 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 13/21] slip: Fix memory leak in slip_open error path Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 15/21] slcan: Fix memory leak in error path Sasha Levin
` (2 subsequent siblings)
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Dan Carpenter, David S . Miller, Sasha Levin, linux-usb, netdev
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit a56dcc6b455830776899ce3686735f1172e12243 ]
This code is supposed to test for negative error codes and partial
reads, but because sizeof() is size_t (unsigned) type then negative
error codes are type promoted to high positive values and the condition
doesn't work as expected.
Fixes: 332f989a3b00 ("CDC-NCM: handle incomplete transfer of MTU")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/cdc_ncm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index d53b4a41c583a..cb4c9d419bd39 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -579,7 +579,7 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
- if (err < sizeof(max_datagram_size)) {
+ if (err != sizeof(max_datagram_size)) {
dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
goto out;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 15/21] slcan: Fix memory leak in error path
[not found] <20191122194931.24732-1-sashal@kernel.org>
` (6 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 14/21] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 17/21] ax88172a: fix information leak on short answers Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 18/21] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jouni Hogander, Wolfgang Grandegger, Marc Kleine-Budde,
Lukas Bulwahn, Sasha Levin, linux-can, netdev
From: Jouni Hogander <jouni.hogander@unikie.com>
[ Upstream commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed ]
This patch is fixing memory leak reported by Syzkaller:
BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
hex dump (first 32 bytes):
73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
[<0000000083306e66>] kvmalloc_node+0x3a/0xc0
[<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
[<0000000061a996c9>] slcan_open+0x3ae/0x9a0
[<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
[<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
[<000000004de5a617>] tty_ioctl+0x48d/0x1590
[<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
[<0000000059068dbc>] ksys_ioctl+0x99/0xb0
[<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
[<0000000053d0332e>] do_syscall_64+0x16f/0x580
[<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<000000008ea75434>] 0xffffffffffffffff
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/slcan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
index 5d067c1b987f8..49427f44dc5ba 100644
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -613,6 +613,7 @@ static int slcan_open(struct tty_struct *tty)
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, &sl->flags);
+ free_netdev(sl->dev);
err_exit:
rtnl_unlock();
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 17/21] ax88172a: fix information leak on short answers
[not found] <20191122194931.24732-1-sashal@kernel.org>
` (7 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 15/21] slcan: Fix memory leak in error path Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 18/21] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Oliver Neukum, syzbot+a8d4acdad35e6bbca308, David S . Miller,
Sasha Levin, linux-usb, netdev
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ]
If a malicious device gives a short MAC it can elicit up to
5 bytes of leaked memory out of the driver. We need to check for
ETH_ALEN instead.
Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/ax88172a.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
index 501576f538546..914cac55a7ae7 100644
--- a/drivers/net/usb/ax88172a.c
+++ b/drivers/net/usb/ax88172a.c
@@ -208,7 +208,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
/* Get the MAC address */
ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
- if (ret < 0) {
+ if (ret < ETH_ALEN) {
netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
goto free;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH AUTOSEL 4.14 18/21] net: ep93xx_eth: fix mismatch of request_mem_region in remove
[not found] <20191122194931.24732-1-sashal@kernel.org>
` (8 preceding siblings ...)
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 17/21] ax88172a: fix information leak on short answers Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
9 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Chuhong Yuan, David S . Miller, Sasha Levin, netdev
From: Chuhong Yuan <hslester96@gmail.com>
[ Upstream commit 3df70afe8d33f4977d0e0891bdcfb639320b5257 ]
The driver calls release_resource in remove to match request_mem_region
in probe, which is incorrect.
Fix it by using the right one, release_mem_region.
Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cirrus/ep93xx_eth.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/cirrus/ep93xx_eth.c b/drivers/net/ethernet/cirrus/ep93xx_eth.c
index e2a702996db41..82bd918bf967f 100644
--- a/drivers/net/ethernet/cirrus/ep93xx_eth.c
+++ b/drivers/net/ethernet/cirrus/ep93xx_eth.c
@@ -767,6 +767,7 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
{
struct net_device *dev;
struct ep93xx_priv *ep;
+ struct resource *mem;
dev = platform_get_drvdata(pdev);
if (dev == NULL)
@@ -782,8 +783,8 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
iounmap(ep->base_addr);
if (ep->res != NULL) {
- release_resource(ep->res);
- kfree(ep->res);
+ mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ release_mem_region(mem->start, resource_size(mem));
}
free_netdev(dev);
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-11-22 19:53 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20191122194931.24732-1-sashal@kernel.org>
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 03/21] xfrm: Fix memleak on xfrm state destroy Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 04/21] iwlwifi: pcie: don't consider IV len in A-MSDU Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 07/21] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 08/21] xfrm: release device reference for invalid state Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 12/21] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 13/21] slip: Fix memory leak in slip_open error path Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 14/21] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 15/21] slcan: Fix memory leak in error path Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 17/21] ax88172a: fix information leak on short answers Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.14 18/21] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).