<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net, branch linux-3.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()</title>
<updated>2020-06-11T18:05:42+00:00</updated>
<author>
<name>Qing Xu</name>
<email>m1s5p6688@gmail.com</email>
</author>
<published>2020-01-02T02:39:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=60a613dc22ee9932c3ba67eadb08de357e36f01f'/>
<id>60a613dc22ee9932c3ba67eadb08de357e36f01f</id>
<content type='text'>
commit 3a9b153c5591548612c3955c9600a98150c81875 upstream.

mwifiex_ret_wmm_get_status() calls memcpy() without checking the
destination size.Since the source is given from remote AP which
contains illegal wmm elements , this may trigger a heap buffer
overflow.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu &lt;m1s5p6688@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3a9b153c5591548612c3955c9600a98150c81875 upstream.

mwifiex_ret_wmm_get_status() calls memcpy() without checking the
destination size.Since the source is given from remote AP which
contains illegal wmm elements , this may trigger a heap buffer
overflow.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu &lt;m1s5p6688@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()</title>
<updated>2020-06-11T18:05:41+00:00</updated>
<author>
<name>Qing Xu</name>
<email>m1s5p6688@gmail.com</email>
</author>
<published>2020-01-02T02:39:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f0c210c885dbc5000d3c3e27723beedda5988cee'/>
<id>f0c210c885dbc5000d3c3e27723beedda5988cee</id>
<content type='text'>
commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d upstream.

mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu &lt;m1s5p6688@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16:
 - Use dev_info() instead of mwifiex_dbg()
 - Adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d upstream.

mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu &lt;m1s5p6688@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16:
 - Use dev_info() instead of mwifiex_dbg()
 - Adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>slip: not call free_netdev before rtnl_unlock in slip_open</title>
<updated>2020-06-11T18:05:36+00:00</updated>
<author>
<name>yangerkun</name>
<email>yangerkun@huawei.com</email>
</author>
<published>2020-02-26T03:54:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=78c31fa288ee2f58f84c792cc75d93efd073f4cf'/>
<id>78c31fa288ee2f58f84c792cc75d93efd073f4cf</id>
<content type='text'>
commit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 upstream.

As the description before netdev_run_todo, we cannot call free_netdev
before rtnl_unlock, fix it by reorder the code.

Signed-off-by: yangerkun &lt;yangerkun@huawei.com&gt;
Reviewed-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 upstream.

As the description before netdev_run_todo, we cannot call free_netdev
before rtnl_unlock, fix it by reorder the code.

Signed-off-by: yangerkun &lt;yangerkun@huawei.com&gt;
Reviewed-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>slip: Fix use-after-free Read in slip_open</title>
<updated>2020-06-11T18:05:36+00:00</updated>
<author>
<name>Jouni Hogander</name>
<email>jouni.hogander@unikie.com</email>
</author>
<published>2019-11-25T12:23:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e143aa385d0d7bd954fe97d4719f8dce933e67f8'/>
<id>e143aa385d0d7bd954fe97d4719f8dce933e67f8</id>
<content type='text'>
commit e58c1912418980f57ba2060017583067f5f71e52 upstream.

Slip_open doesn't clean-up device which registration failed from the
slip_devs device list. On next open after failure this list is iterated
and freed device is accessed. Fix this by calling sl_free_netdev in error
path.

Here is the trace from the Syzbot:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: sl_free_netdev() calls free_netdev() here, so
 delete the direct call to free_netdev()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e58c1912418980f57ba2060017583067f5f71e52 upstream.

Slip_open doesn't clean-up device which registration failed from the
slip_devs device list. On next open after failure this list is iterated
and freed device is accessed. Fix this by calling sl_free_netdev in error
path.

Here is the trace from the Syzbot:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: sl_free_netdev() calls free_netdev() here, so
 delete the direct call to free_netdev()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>slip: Fix memory leak in slip_open error path</title>
<updated>2020-06-11T18:05:36+00:00</updated>
<author>
<name>Jouni Hogander</name>
<email>jouni.hogander@unikie.com</email>
</author>
<published>2019-11-13T11:45:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=103921f069ae9189806fe5913beb40c1def7ae56'/>
<id>103921f069ae9189806fe5913beb40c1def7ae56</id>
<content type='text'>
commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa upstream.

Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
by Syzkaller in slcan. Same issue exists in slip.c and this patch is
addressing the leak in slip.c.

Here is the slcan memory leak trace reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
  hex dump (first 32 bytes):
    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [&lt;00000000a06eec0d&gt;] __kmalloc+0x18b/0x2c0
    [&lt;0000000083306e66&gt;] kvmalloc_node+0x3a/0xc0
    [&lt;000000006ac27f87&gt;] alloc_netdev_mqs+0x17a/0x1080
    [&lt;0000000061a996c9&gt;] slcan_open+0x3ae/0x9a0
    [&lt;000000001226f0f9&gt;] tty_ldisc_open.isra.1+0x76/0xc0
    [&lt;0000000019289631&gt;] tty_set_ldisc+0x28c/0x5f0
    [&lt;000000004de5a617&gt;] tty_ioctl+0x48d/0x1590
    [&lt;00000000daef496f&gt;] do_vfs_ioctl+0x1c7/0x1510
    [&lt;0000000059068dbc&gt;] ksys_ioctl+0x99/0xb0
    [&lt;000000009a6eb334&gt;] __x64_sys_ioctl+0x78/0xb0
    [&lt;0000000053d0332e&gt;] do_syscall_64+0x16f/0x580
    [&lt;0000000021b83b99&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [&lt;000000008ea75434&gt;] 0xfffffffffffffff

Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa upstream.

Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
by Syzkaller in slcan. Same issue exists in slip.c and this patch is
addressing the leak in slip.c.

Here is the slcan memory leak trace reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
  hex dump (first 32 bytes):
    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [&lt;00000000a06eec0d&gt;] __kmalloc+0x18b/0x2c0
    [&lt;0000000083306e66&gt;] kvmalloc_node+0x3a/0xc0
    [&lt;000000006ac27f87&gt;] alloc_netdev_mqs+0x17a/0x1080
    [&lt;0000000061a996c9&gt;] slcan_open+0x3ae/0x9a0
    [&lt;000000001226f0f9&gt;] tty_ldisc_open.isra.1+0x76/0xc0
    [&lt;0000000019289631&gt;] tty_set_ldisc+0x28c/0x5f0
    [&lt;000000004de5a617&gt;] tty_ioctl+0x48d/0x1590
    [&lt;00000000daef496f&gt;] do_vfs_ioctl+0x1c7/0x1510
    [&lt;0000000059068dbc&gt;] ksys_ioctl+0x99/0xb0
    [&lt;000000009a6eb334&gt;] __x64_sys_ioctl+0x78/0xb0
    [&lt;0000000053d0332e&gt;] do_syscall_64+0x16f/0x580
    [&lt;0000000021b83b99&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [&lt;000000008ea75434&gt;] 0xfffffffffffffff

Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>slcan: not call free_netdev before rtnl_unlock in slcan_open</title>
<updated>2020-06-11T18:05:35+00:00</updated>
<author>
<name>Oliver Hartkopp</name>
<email>socketcan@hartkopp.net</email>
</author>
<published>2020-03-21T13:08:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8262bc14b32853532c2fba0649524afa951c983b'/>
<id>8262bc14b32853532c2fba0649524afa951c983b</id>
<content type='text'>
commit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 upstream.

As the description before netdev_run_todo, we cannot call free_netdev
before rtnl_unlock, fix it by reorder the code.

This patch is a 1:1 copy of upstream slip.c commit f596c87005f7
("slip: not call free_netdev before rtnl_unlock in slip_open").

Reported-by: yangerkun &lt;yangerkun@huawei.com&gt;
Signed-off-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 upstream.

As the description before netdev_run_todo, we cannot call free_netdev
before rtnl_unlock, fix it by reorder the code.

This patch is a 1:1 copy of upstream slip.c commit f596c87005f7
("slip: not call free_netdev before rtnl_unlock in slip_open").

Reported-by: yangerkun &lt;yangerkun@huawei.com&gt;
Signed-off-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: slcan: Fix use-after-free Read in slcan_open</title>
<updated>2020-06-11T18:05:35+00:00</updated>
<author>
<name>Jouni Hogander</name>
<email>jouni.hogander@unikie.com</email>
</author>
<published>2019-11-27T06:40:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fc32a080b625b4e9f997468eafbacc537229c7ef'/>
<id>fc32a080b625b4e9f997468eafbacc537229c7ef</id>
<content type='text'>
commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.

Slcan_open doesn't clean-up device which registration failed from the
slcan_devs device list. On next open this list is iterated and freed
device is accessed. Fix this by calling slc_free_netdev in error path.

Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
trace from the Syzbot slip report:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Acked-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
[bwh: Backported to 3.16: slc_free_netdev() calls free_netdev() here, so
 delete the direct call to free_netdev()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.

Slcan_open doesn't clean-up device which registration failed from the
slcan_devs device list. On next open this list is iterated and freed
device is accessed. Fix this by calling slc_free_netdev in error path.

Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
trace from the Syzbot slip report:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Acked-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
[bwh: Backported to 3.16: slc_free_netdev() calls free_netdev() here, so
 delete the direct call to free_netdev()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>slcan: Fix memory leak in error path</title>
<updated>2020-06-11T18:05:35+00:00</updated>
<author>
<name>Jouni Hogander</name>
<email>jouni.hogander@unikie.com</email>
</author>
<published>2019-11-13T10:08:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ff41ac4dd357b10010949dc50e640c9eb5d5f052'/>
<id>ff41ac4dd357b10010949dc50e640c9eb5d5f052</id>
<content type='text'>
commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.

This patch is fixing memory leak reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
  hex dump (first 32 bytes):
    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [&lt;00000000a06eec0d&gt;] __kmalloc+0x18b/0x2c0
    [&lt;0000000083306e66&gt;] kvmalloc_node+0x3a/0xc0
    [&lt;000000006ac27f87&gt;] alloc_netdev_mqs+0x17a/0x1080
    [&lt;0000000061a996c9&gt;] slcan_open+0x3ae/0x9a0
    [&lt;000000001226f0f9&gt;] tty_ldisc_open.isra.1+0x76/0xc0
    [&lt;0000000019289631&gt;] tty_set_ldisc+0x28c/0x5f0
    [&lt;000000004de5a617&gt;] tty_ioctl+0x48d/0x1590
    [&lt;00000000daef496f&gt;] do_vfs_ioctl+0x1c7/0x1510
    [&lt;0000000059068dbc&gt;] ksys_ioctl+0x99/0xb0
    [&lt;000000009a6eb334&gt;] __x64_sys_ioctl+0x78/0xb0
    [&lt;0000000053d0332e&gt;] do_syscall_64+0x16f/0x580
    [&lt;0000000021b83b99&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [&lt;000000008ea75434&gt;] 0xffffffffffffffff

Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.

This patch is fixing memory leak reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
  hex dump (first 32 bytes):
    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [&lt;00000000a06eec0d&gt;] __kmalloc+0x18b/0x2c0
    [&lt;0000000083306e66&gt;] kvmalloc_node+0x3a/0xc0
    [&lt;000000006ac27f87&gt;] alloc_netdev_mqs+0x17a/0x1080
    [&lt;0000000061a996c9&gt;] slcan_open+0x3ae/0x9a0
    [&lt;000000001226f0f9&gt;] tty_ldisc_open.isra.1+0x76/0xc0
    [&lt;0000000019289631&gt;] tty_set_ldisc+0x28c/0x5f0
    [&lt;000000004de5a617&gt;] tty_ioctl+0x48d/0x1590
    [&lt;00000000daef496f&gt;] do_vfs_ioctl+0x1c7/0x1510
    [&lt;0000000059068dbc&gt;] ksys_ioctl+0x99/0xb0
    [&lt;000000009a6eb334&gt;] __x64_sys_ioctl+0x78/0xb0
    [&lt;0000000053d0332e&gt;] do_syscall_64+0x16f/0x580
    [&lt;0000000021b83b99&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [&lt;000000008ea75434&gt;] 0xffffffffffffffff

Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bonding/alb: properly access headers in bond_alb_xmit()</title>
<updated>2020-05-22T20:19:43+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2020-02-05T03:26:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=888865cfee84dbf800fb174cfa70ec58bf326578'/>
<id>888865cfee84dbf800fb174cfa70ec58bf326578</id>
<content type='text'>
commit 38f88c45404293bbc027b956def6c10cbd45c616 upstream.

syzbot managed to send an IPX packet through bond_alb_xmit()
and af_packet and triggered a use-after-free.

First, bond_alb_xmit() was using ipx_hdr() helper to reach
the IPX header, but ipx_hdr() was using the transport offset
instead of the network offset. In the particular syzbot
report transport offset was 0xFFFF

This patch removes ipx_hdr() since it was only (mis)used from bonding.

Then we need to make sure IPv4/IPv6/IPX headers are pulled
in skb-&gt;head before dereferencing anything.

BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
 (if (ipx_hdr(skb)-&gt;ipx_checksum != IPX_NO_CHECKSUM) ...)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 [&lt;ffffffff8441fc42&gt;] __dump_stack lib/dump_stack.c:17 [inline]
 [&lt;ffffffff8441fc42&gt;] dump_stack+0x14d/0x20b lib/dump_stack.c:53
 [&lt;ffffffff81a7dec4&gt;] print_address_description+0x6f/0x20b mm/kasan/report.c:282
 [&lt;ffffffff81a7e0ec&gt;] kasan_report_error mm/kasan/report.c:380 [inline]
 [&lt;ffffffff81a7e0ec&gt;] kasan_report mm/kasan/report.c:438 [inline]
 [&lt;ffffffff81a7e0ec&gt;] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
 [&lt;ffffffff81a7dc4f&gt;] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
 [&lt;ffffffff82c8c00a&gt;] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
 [&lt;ffffffff82c60c74&gt;] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
 [&lt;ffffffff82c60c74&gt;] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
 [&lt;ffffffff83baa558&gt;] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
 [&lt;ffffffff83baa558&gt;] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
 [&lt;ffffffff83baa558&gt;] xmit_one net/core/dev.c:3611 [inline]
 [&lt;ffffffff83baa558&gt;] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
 [&lt;ffffffff83bacf35&gt;] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
 [&lt;ffffffff83bae3a8&gt;] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
 [&lt;ffffffff84339189&gt;] packet_snd net/packet/af_packet.c:3226 [inline]
 [&lt;ffffffff84339189&gt;] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
 [&lt;ffffffff83b1ac0c&gt;] sock_sendmsg_nosec net/socket.c:673 [inline]
 [&lt;ffffffff83b1ac0c&gt;] sock_sendmsg+0x12c/0x160 net/socket.c:684
 [&lt;ffffffff83b1f5a2&gt;] __sys_sendto+0x262/0x380 net/socket.c:1996
 [&lt;ffffffff83b1f700&gt;] SYSC_sendto net/socket.c:2008 [inline]
 [&lt;ffffffff83b1f700&gt;] SyS_sendto+0x40/0x60 net/socket.c:2004

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Cc: Jay Vosburgh &lt;j.vosburgh@gmail.com&gt;
Cc: Veaceslav Falico &lt;vfalico@gmail.com&gt;
Cc: Andy Gospodarek &lt;andy@greyhouse.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16:
 - Don't delete ipx_hdr() as it's still used by net/ipx here
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 38f88c45404293bbc027b956def6c10cbd45c616 upstream.

syzbot managed to send an IPX packet through bond_alb_xmit()
and af_packet and triggered a use-after-free.

First, bond_alb_xmit() was using ipx_hdr() helper to reach
the IPX header, but ipx_hdr() was using the transport offset
instead of the network offset. In the particular syzbot
report transport offset was 0xFFFF

This patch removes ipx_hdr() since it was only (mis)used from bonding.

Then we need to make sure IPv4/IPv6/IPX headers are pulled
in skb-&gt;head before dereferencing anything.

BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
 (if (ipx_hdr(skb)-&gt;ipx_checksum != IPX_NO_CHECKSUM) ...)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 [&lt;ffffffff8441fc42&gt;] __dump_stack lib/dump_stack.c:17 [inline]
 [&lt;ffffffff8441fc42&gt;] dump_stack+0x14d/0x20b lib/dump_stack.c:53
 [&lt;ffffffff81a7dec4&gt;] print_address_description+0x6f/0x20b mm/kasan/report.c:282
 [&lt;ffffffff81a7e0ec&gt;] kasan_report_error mm/kasan/report.c:380 [inline]
 [&lt;ffffffff81a7e0ec&gt;] kasan_report mm/kasan/report.c:438 [inline]
 [&lt;ffffffff81a7e0ec&gt;] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
 [&lt;ffffffff81a7dc4f&gt;] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
 [&lt;ffffffff82c8c00a&gt;] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
 [&lt;ffffffff82c60c74&gt;] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
 [&lt;ffffffff82c60c74&gt;] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
 [&lt;ffffffff83baa558&gt;] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
 [&lt;ffffffff83baa558&gt;] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
 [&lt;ffffffff83baa558&gt;] xmit_one net/core/dev.c:3611 [inline]
 [&lt;ffffffff83baa558&gt;] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
 [&lt;ffffffff83bacf35&gt;] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
 [&lt;ffffffff83bae3a8&gt;] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
 [&lt;ffffffff84339189&gt;] packet_snd net/packet/af_packet.c:3226 [inline]
 [&lt;ffffffff84339189&gt;] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
 [&lt;ffffffff83b1ac0c&gt;] sock_sendmsg_nosec net/socket.c:673 [inline]
 [&lt;ffffffff83b1ac0c&gt;] sock_sendmsg+0x12c/0x160 net/socket.c:684
 [&lt;ffffffff83b1f5a2&gt;] __sys_sendto+0x262/0x380 net/socket.c:1996
 [&lt;ffffffff83b1f700&gt;] SYSC_sendto net/socket.c:2008 [inline]
 [&lt;ffffffff83b1f700&gt;] SyS_sendto+0x40/0x60 net/socket.c:2004

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Cc: Jay Vosburgh &lt;j.vosburgh@gmail.com&gt;
Cc: Veaceslav Falico &lt;vfalico@gmail.com&gt;
Cc: Andy Gospodarek &lt;andy@greyhouse.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16:
 - Don't delete ipx_hdr() as it's still used by net/ipx here
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop</title>
<updated>2020-05-22T20:19:35+00:00</updated>
<author>
<name>Colin Ian King</name>
<email>colin.king@canonical.com</email>
</author>
<published>2020-01-26T00:09:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c3a7e44bf63360b68c70078125f457cb90a54c64'/>
<id>c3a7e44bf63360b68c70078125f457cb90a54c64</id>
<content type='text'>
commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 upstream.

The loop counter addr is a u16 where as the upper limit of the loop
is an int. In the unlikely event that the il-&gt;cfg-&gt;eeprom_size is
greater than 64K then we end up with an infinite loop since addr will
wrap around an never reach upper loop limit. Fix this by making addr
an int.

Addresses-Coverity: ("Infinite loop")
Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Acked-by: Stanislaw Gruszka &lt;stf_xl@wp.pl&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 upstream.

The loop counter addr is a u16 where as the upper limit of the loop
is an int. In the unlikely event that the il-&gt;cfg-&gt;eeprom_size is
greater than 64K then we end up with an infinite loop since addr will
wrap around an never reach upper loop limit. Fix this by making addr
an int.

Addresses-Coverity: ("Infinite loop")
Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965")
Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Acked-by: Stanislaw Gruszka &lt;stf_xl@wp.pl&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
