<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net, branch v4.4.291</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net: lan78xx: fix division by zero in send path</title>
<updated>2021-11-02T16:38:12+00:00</updated>
<author>
<name>Johan Hovold</name>
<email>johan@kernel.org</email>
</author>
<published>2021-10-26T10:36:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1ee34b2e09c21efdf8e9f96610f6a7b8fc458064'/>
<id>1ee34b2e09c21efdf8e9f96610f6a7b8fc458064</id>
<content type='text'>
commit db6c3c064f5d55fa9969f33eafca3cdbefbb3541 upstream.

Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in lan78xx_tx_bh() in case a malicious device has
broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org      # 4.3
Cc: Woojung.Huh@microchip.com &lt;Woojung.Huh@microchip.com&gt;
Signed-off-by: Johan Hovold &lt;johan@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit db6c3c064f5d55fa9969f33eafca3cdbefbb3541 upstream.

Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in lan78xx_tx_bh() in case a malicious device has
broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org      # 4.3
Cc: Woojung.Huh@microchip.com &lt;Woojung.Huh@microchip.com&gt;
Signed-off-by: Johan Hovold &lt;johan@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Revert "net: mdiobus: Fix memory leak in __mdiobus_register"</title>
<updated>2021-11-02T16:38:11+00:00</updated>
<author>
<name>Pavel Skripkin</name>
<email>paskripkin@gmail.com</email>
</author>
<published>2021-09-30T17:49:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b89f4537d7fdbd0bafb6d8a66a484e0bc99871a4'/>
<id>b89f4537d7fdbd0bafb6d8a66a484e0bc99871a4</id>
<content type='text'>
commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.

This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.

This patch is correct in the sense that we _should_ call device_put() in
case of device_register() failure, but the problem in this code is more
vast.

We need to set bus-&gt;state to UNMDIOBUS_REGISTERED before calling
device_register() to correctly release the device in mdiobus_free().
This patch prevents us from doing it, since in case of device_register()
failure put_device() will be called 2 times and it will cause UAF or
something else.

Also, Reported-by: tag in revered commit was wrong, since syzbot
reported different leak in same function.

Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
Acked-by: Yanfei Xu &lt;yanfei.xu@windriver.com&gt;
Signed-off-by: Pavel Skripkin &lt;paskripkin@gmail.com&gt;
Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.

This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.

This patch is correct in the sense that we _should_ call device_put() in
case of device_register() failure, but the problem in this code is more
vast.

We need to set bus-&gt;state to UNMDIOBUS_REGISTERED before calling
device_register() to correctly release the device in mdiobus_free().
This patch prevents us from doing it, since in case of device_register()
failure put_device() will be called 2 times and it will cause UAF or
something else.

Also, Reported-by: tag in revered commit was wrong, since syzbot
reported different leak in same function.

Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
Acked-by: Yanfei Xu &lt;yanfei.xu@windriver.com&gt;
Signed-off-by: Pavel Skripkin &lt;paskripkin@gmail.com&gt;
Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbnet: fix error return code in usbnet_probe()</title>
<updated>2021-11-02T16:38:11+00:00</updated>
<author>
<name>Wang Hai</name>
<email>wanghai38@huawei.com</email>
</author>
<published>2021-10-26T12:40:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=65695c85607034b23d54dccbe7a9bdbf38b94cbf'/>
<id>65695c85607034b23d54dccbe7a9bdbf38b94cbf</id>
<content type='text'>
commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.

Return error code if usb_maxpacket() returns 0 in usbnet_probe()

Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
Reported-by: Hulk Robot &lt;hulkci@huawei.com&gt;
Signed-off-by: Wang Hai &lt;wanghai38@huawei.com&gt;
Reviewed-by: Johan Hovold &lt;johan@kernel.org&gt;
Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.

Return error code if usb_maxpacket() returns 0 in usbnet_probe()

Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
Reported-by: Hulk Robot &lt;hulkci@huawei.com&gt;
Signed-off-by: Wang Hai &lt;wanghai38@huawei.com&gt;
Reviewed-by: Johan Hovold &lt;johan@kernel.org&gt;
Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usbnet: sanity check for maxpacket</title>
<updated>2021-11-02T16:38:11+00:00</updated>
<author>
<name>Oliver Neukum</name>
<email>oneukum@suse.com</email>
</author>
<published>2021-10-21T12:29:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b9eba0a4a527e04d712f0e0401e5391ef124b33e'/>
<id>b9eba0a4a527e04d712f0e0401e5391ef124b33e</id>
<content type='text'>
commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.

maxpacket of 0 makes no sense and oopses as we need to divide
by it. Give up.

V2: fixed typo in log and stylistic issues

Signed-off-by: Oliver Neukum &lt;oneukum@suse.com&gt;
Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
Reviewed-by: Johan Hovold &lt;johan@kernel.org&gt;
Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.

maxpacket of 0 makes no sense and oopses as we need to divide
by it. Give up.

V2: fixed typo in log and stylistic issues

Signed-off-by: Oliver Neukum &lt;oneukum@suse.com&gt;
Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
Reviewed-by: Johan Hovold &lt;johan@kernel.org&gt;
Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: mdiobus: Fix memory leak in __mdiobus_register</title>
<updated>2021-10-27T07:32:40+00:00</updated>
<author>
<name>Yanfei Xu</name>
<email>yanfei.xu@windriver.com</email>
</author>
<published>2021-09-26T04:53:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fd2400dd4f1b8bd7a309b1b424d9e0d188151b01'/>
<id>fd2400dd4f1b8bd7a309b1b424d9e0d188151b01</id>
<content type='text'>
commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream.

Once device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it will cause memory
leak.

BUG: memory leak
unreferenced object 0xffff888114032e00 (size 256):
  comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff  ................
    08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff  .........ve.....
  backtrace:
    [&lt;ffffffff8265cfab&gt;] kmalloc include/linux/slab.h:591 [inline]
    [&lt;ffffffff8265cfab&gt;] kzalloc include/linux/slab.h:721 [inline]
    [&lt;ffffffff8265cfab&gt;] device_private_init drivers/base/core.c:3203 [inline]
    [&lt;ffffffff8265cfab&gt;] device_add+0x89b/0xdf0 drivers/base/core.c:3253
    [&lt;ffffffff828dd643&gt;] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537
    [&lt;ffffffff828cb835&gt;] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
    [&lt;ffffffff82b92a00&gt;] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
    [&lt;ffffffff82b92a00&gt;] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
    [&lt;ffffffff82baa33f&gt;] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
    [&lt;ffffffff82c36e17&gt;] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
    [&lt;ffffffff82661d17&gt;] call_driver_probe drivers/base/dd.c:517 [inline]
    [&lt;ffffffff82661d17&gt;] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
    [&lt;ffffffff826620bc&gt;] really_probe drivers/base/dd.c:558 [inline]
    [&lt;ffffffff826620bc&gt;] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
    [&lt;ffffffff826621ba&gt;] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
    [&lt;ffffffff82662a26&gt;] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
    [&lt;ffffffff8265eca7&gt;] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
    [&lt;ffffffff826625a2&gt;] __device_attach+0x122/0x260 drivers/base/dd.c:969
    [&lt;ffffffff82660916&gt;] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
    [&lt;ffffffff8265cd0b&gt;] device_add+0x5fb/0xdf0 drivers/base/core.c:3359
    [&lt;ffffffff82c343b9&gt;] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170
    [&lt;ffffffff82c4473c&gt;] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238

BUG: memory leak
unreferenced object 0xffff888116f06900 (size 32):
  comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s)
  hex dump (first 32 bytes):
    75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00  usb-001:003.....
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;ffffffff81484516&gt;] kstrdup+0x36/0x70 mm/util.c:60
    [&lt;ffffffff814845a3&gt;] kstrdup_const+0x53/0x80 mm/util.c:83
    [&lt;ffffffff82296ba2&gt;] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
    [&lt;ffffffff82358d4b&gt;] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
    [&lt;ffffffff826575f3&gt;] dev_set_name+0x63/0x90 drivers/base/core.c:3147
    [&lt;ffffffff828dd63b&gt;] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535
    [&lt;ffffffff828cb835&gt;] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
    [&lt;ffffffff82b92a00&gt;] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
    [&lt;ffffffff82b92a00&gt;] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
    [&lt;ffffffff82baa33f&gt;] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
    [&lt;ffffffff82c36e17&gt;] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
    [&lt;ffffffff82661d17&gt;] call_driver_probe drivers/base/dd.c:517 [inline]
    [&lt;ffffffff82661d17&gt;] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
    [&lt;ffffffff826620bc&gt;] really_probe drivers/base/dd.c:558 [inline]
    [&lt;ffffffff826620bc&gt;] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
    [&lt;ffffffff826621ba&gt;] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
    [&lt;ffffffff82662a26&gt;] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
    [&lt;ffffffff8265eca7&gt;] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
    [&lt;ffffffff826625a2&gt;] __device_attach+0x122/0x260 drivers/base/dd.c:969

Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
Signed-off-by: Yanfei Xu &lt;yanfei.xu@windriver.com&gt;
Reviewed-by: Andrew Lunn &lt;andrew@lunn.ch&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream.

Once device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it will cause memory
leak.

BUG: memory leak
unreferenced object 0xffff888114032e00 (size 256):
  comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff  ................
    08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff  .........ve.....
  backtrace:
    [&lt;ffffffff8265cfab&gt;] kmalloc include/linux/slab.h:591 [inline]
    [&lt;ffffffff8265cfab&gt;] kzalloc include/linux/slab.h:721 [inline]
    [&lt;ffffffff8265cfab&gt;] device_private_init drivers/base/core.c:3203 [inline]
    [&lt;ffffffff8265cfab&gt;] device_add+0x89b/0xdf0 drivers/base/core.c:3253
    [&lt;ffffffff828dd643&gt;] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537
    [&lt;ffffffff828cb835&gt;] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
    [&lt;ffffffff82b92a00&gt;] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
    [&lt;ffffffff82b92a00&gt;] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
    [&lt;ffffffff82baa33f&gt;] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
    [&lt;ffffffff82c36e17&gt;] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
    [&lt;ffffffff82661d17&gt;] call_driver_probe drivers/base/dd.c:517 [inline]
    [&lt;ffffffff82661d17&gt;] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
    [&lt;ffffffff826620bc&gt;] really_probe drivers/base/dd.c:558 [inline]
    [&lt;ffffffff826620bc&gt;] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
    [&lt;ffffffff826621ba&gt;] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
    [&lt;ffffffff82662a26&gt;] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
    [&lt;ffffffff8265eca7&gt;] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
    [&lt;ffffffff826625a2&gt;] __device_attach+0x122/0x260 drivers/base/dd.c:969
    [&lt;ffffffff82660916&gt;] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
    [&lt;ffffffff8265cd0b&gt;] device_add+0x5fb/0xdf0 drivers/base/core.c:3359
    [&lt;ffffffff82c343b9&gt;] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170
    [&lt;ffffffff82c4473c&gt;] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238

BUG: memory leak
unreferenced object 0xffff888116f06900 (size 32):
  comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s)
  hex dump (first 32 bytes):
    75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00  usb-001:003.....
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;ffffffff81484516&gt;] kstrdup+0x36/0x70 mm/util.c:60
    [&lt;ffffffff814845a3&gt;] kstrdup_const+0x53/0x80 mm/util.c:83
    [&lt;ffffffff82296ba2&gt;] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
    [&lt;ffffffff82358d4b&gt;] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
    [&lt;ffffffff826575f3&gt;] dev_set_name+0x63/0x90 drivers/base/core.c:3147
    [&lt;ffffffff828dd63b&gt;] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535
    [&lt;ffffffff828cb835&gt;] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
    [&lt;ffffffff82b92a00&gt;] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
    [&lt;ffffffff82b92a00&gt;] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
    [&lt;ffffffff82baa33f&gt;] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
    [&lt;ffffffff82c36e17&gt;] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
    [&lt;ffffffff82661d17&gt;] call_driver_probe drivers/base/dd.c:517 [inline]
    [&lt;ffffffff82661d17&gt;] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
    [&lt;ffffffff826620bc&gt;] really_probe drivers/base/dd.c:558 [inline]
    [&lt;ffffffff826620bc&gt;] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
    [&lt;ffffffff826621ba&gt;] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
    [&lt;ffffffff82662a26&gt;] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
    [&lt;ffffffff8265eca7&gt;] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
    [&lt;ffffffff826625a2&gt;] __device_attach+0x122/0x260 drivers/base/dd.c:969

Reported-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
Signed-off-by: Yanfei Xu &lt;yanfei.xu@windriver.com&gt;
Reviewed-by: Andrew Lunn &lt;andrew@lunn.ch&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: peak_pci: peak_pci_remove(): fix UAF</title>
<updated>2021-10-27T07:32:39+00:00</updated>
<author>
<name>Zheyu Ma</name>
<email>zheyuma97@gmail.com</email>
</author>
<published>2021-10-14T06:28:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1c616528ba4aeb1125a06b407572ab7b56acae38'/>
<id>1c616528ba4aeb1125a06b407572ab7b56acae38</id>
<content type='text'>
commit 949fe9b35570361bc6ee2652f89a0561b26eec98 upstream.

When remove the module peek_pci, referencing 'chan' again after
releasing 'dev' will cause UAF.

Fix this by releasing 'dev' later.

The following log reveals it:

[   35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537
[   35.965513 ] Call Trace:
[   35.965718 ]  dump_stack_lvl+0xa8/0xd1
[   35.966028 ]  print_address_description+0x87/0x3b0
[   35.966420 ]  kasan_report+0x172/0x1c0
[   35.966725 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.967137 ]  ? trace_irq_enable_rcuidle+0x10/0x170
[   35.967529 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.967945 ]  __asan_report_load8_noabort+0x14/0x20
[   35.968346 ]  peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.968752 ]  pci_device_remove+0xa9/0x250

Fixes: e6d9c80b7ca1 ("can: peak_pci: add support of some new PEAK-System PCI cards")
Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Zheyu Ma &lt;zheyuma97@gmail.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 949fe9b35570361bc6ee2652f89a0561b26eec98 upstream.

When remove the module peek_pci, referencing 'chan' again after
releasing 'dev' will cause UAF.

Fix this by releasing 'dev' later.

The following log reveals it:

[   35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537
[   35.965513 ] Call Trace:
[   35.965718 ]  dump_stack_lvl+0xa8/0xd1
[   35.966028 ]  print_address_description+0x87/0x3b0
[   35.966420 ]  kasan_report+0x172/0x1c0
[   35.966725 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.967137 ]  ? trace_irq_enable_rcuidle+0x10/0x170
[   35.967529 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.967945 ]  __asan_report_load8_noabort+0x14/0x20
[   35.968346 ]  peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.968752 ]  pci_device_remove+0xa9/0x250

Fixes: e6d9c80b7ca1 ("can: peak_pci: add support of some new PEAK-System PCI cards")
Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Zheyu Ma &lt;zheyuma97@gmail.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification</title>
<updated>2021-10-27T07:32:39+00:00</updated>
<author>
<name>Stephane Grosjean</name>
<email>s.grosjean@peak-system.com</email>
</author>
<published>2021-09-29T14:21:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=87e08065b1a8317cdf750c9206b1f3ae2beb88f7'/>
<id>87e08065b1a8317cdf750c9206b1f3ae2beb88f7</id>
<content type='text'>
commit 3d031abc7e7249573148871180c28ecedb5e27df upstream.

This corrects the lack of notification of a return to ERROR_ACTIVE
state for USB - CANFD devices from PEAK-System.

Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
Link: https://lore.kernel.org/all/20210929142111.55757-1-s.grosjean@peak-system.com
Cc: stable@vger.kernel.org
Signed-off-by: Stephane Grosjean &lt;s.grosjean@peak-system.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3d031abc7e7249573148871180c28ecedb5e27df upstream.

This corrects the lack of notification of a return to ERROR_ACTIVE
state for USB - CANFD devices from PEAK-System.

Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
Link: https://lore.kernel.org/all/20210929142111.55757-1-s.grosjean@peak-system.com
Cc: stable@vger.kernel.org
Signed-off-by: Stephane Grosjean &lt;s.grosjean@peak-system.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: rcar_can: fix suspend/resume</title>
<updated>2021-10-27T07:32:39+00:00</updated>
<author>
<name>Yoshihiro Shimoda</name>
<email>yoshihiro.shimoda.uh@renesas.com</email>
</author>
<published>2021-09-24T07:55:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=70cf33bb9012ffc64523a59849940b27e34f6f82'/>
<id>70cf33bb9012ffc64523a59849940b27e34f6f82</id>
<content type='text'>
commit f7c05c3987dcfde9a4e8c2d533db013fabebca0d upstream.

If the driver was not opened, rcar_can_suspend() should not call
clk_disable() because the clock was not enabled.

Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver")
Link: https://lore.kernel.org/all/20210924075556.223685-1-yoshihiro.shimoda.uh@renesas.com
Cc: stable@vger.kernel.org
Signed-off-by: Yoshihiro Shimoda &lt;yoshihiro.shimoda.uh@renesas.com&gt;
Tested-by: Ayumi Nakamichi &lt;ayumi.nakamichi.kf@renesas.com&gt;
Reviewed-by: Ulrich Hecht &lt;uli+renesas@fpond.eu&gt;
Tested-by: Biju Das &lt;biju.das.jz@bp.renesas.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f7c05c3987dcfde9a4e8c2d533db013fabebca0d upstream.

If the driver was not opened, rcar_can_suspend() should not call
clk_disable() because the clock was not enabled.

Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver")
Link: https://lore.kernel.org/all/20210924075556.223685-1-yoshihiro.shimoda.uh@renesas.com
Cc: stable@vger.kernel.org
Signed-off-by: Yoshihiro Shimoda &lt;yoshihiro.shimoda.uh@renesas.com&gt;
Tested-by: Ayumi Nakamichi &lt;ayumi.nakamichi.kf@renesas.com&gt;
Reviewed-by: Ulrich Hecht &lt;uli+renesas@fpond.eu&gt;
Tested-by: Biju Das &lt;biju.das.jz@bp.renesas.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256</title>
<updated>2021-10-27T07:32:39+00:00</updated>
<author>
<name>Vegard Nossum</name>
<email>vegard.nossum@oracle.com</email>
</author>
<published>2021-10-11T15:22:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=85f2d0ff3d7350092a956201f66d314decabcdde'/>
<id>85f2d0ff3d7350092a956201f66d314decabcdde</id>
<content type='text'>
commit 9973a43012b6ad1720dbc4d5faf5302c28635b8c upstream.

Fix the following build/link errors by adding a dependency on
CRYPTO, CRYPTO_HASH, CRYPTO_SHA256 and CRC32:

  ld: drivers/net/usb/r8152.o: in function `rtl8152_fw_verify_checksum':
  r8152.c:(.text+0x2b2a): undefined reference to `crypto_alloc_shash'
  ld: r8152.c:(.text+0x2bed): undefined reference to `crypto_shash_digest'
  ld: r8152.c:(.text+0x2c50): undefined reference to `crypto_destroy_tfm'
  ld: drivers/net/usb/r8152.o: in function `_rtl8152_set_rx_mode':
  r8152.c:(.text+0xdcb0): undefined reference to `crc32_le'

Fixes: 9370f2d05a2a1 ("r8152: support request_firmware for RTL8153")
Fixes: ac718b69301c7 ("net/usb: new driver for RTL8152")
Signed-off-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9973a43012b6ad1720dbc4d5faf5302c28635b8c upstream.

Fix the following build/link errors by adding a dependency on
CRYPTO, CRYPTO_HASH, CRYPTO_SHA256 and CRC32:

  ld: drivers/net/usb/r8152.o: in function `rtl8152_fw_verify_checksum':
  r8152.c:(.text+0x2b2a): undefined reference to `crypto_alloc_shash'
  ld: r8152.c:(.text+0x2bed): undefined reference to `crypto_shash_digest'
  ld: r8152.c:(.text+0x2c50): undefined reference to `crypto_destroy_tfm'
  ld: drivers/net/usb/r8152.o: in function `_rtl8152_set_rx_mode':
  r8152.c:(.text+0xdcb0): undefined reference to `crc32_le'

Fixes: 9370f2d05a2a1 ("r8152: support request_firmware for RTL8153")
Fixes: ac718b69301c7 ("net/usb: new driver for RTL8152")
Signed-off-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ethernet: s2io: fix setting mac address during resume</title>
<updated>2021-10-27T07:32:38+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2021-10-13T14:35:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fd6b37c54c9825939cd3497b54ae5626122018db'/>
<id>fd6b37c54c9825939cd3497b54ae5626122018db</id>
<content type='text'>
commit 40507e7aada8422c38aafa0c8a1a09e4623c712a upstream.

After recent cleanups, gcc started warning about a suspicious
memcpy() call during the s2io_io_resume() function:

In function '__dev_addr_set',
    inlined from 'eth_hw_addr_set' at include/linux/etherdevice.h:318:2,
    inlined from 's2io_set_mac_addr' at drivers/net/ethernet/neterion/s2io.c:5205:2,
    inlined from 's2io_io_resume' at drivers/net/ethernet/neterion/s2io.c:8569:7:
arch/x86/include/asm/string_32.h:182:25: error: '__builtin_memcpy' accessing 6 bytes at offsets 0 and 2 overlaps 4 bytes at offset 2 [-Werror=restrict]
  182 | #define memcpy(t, f, n) __builtin_memcpy(t, f, n)
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/netdevice.h:4648:9: note: in expansion of macro 'memcpy'
 4648 |         memcpy(dev-&gt;dev_addr, addr, len);
      |         ^~~~~~

What apparently happened is that an old cleanup changed the calling
conventions for s2io_set_mac_addr() from taking an ethernet address
as a character array to taking a struct sockaddr, but one of the
callers was not changed at the same time.

Change it to instead call the low-level do_s2io_prog_unicast() function
that still takes the old argument type.

Fixes: 2fd376884558 ("S2io: Added support set_mac_address driver entry point")
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Link: https://lore.kernel.org/r/20211013143613.2049096-1-arnd@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 40507e7aada8422c38aafa0c8a1a09e4623c712a upstream.

After recent cleanups, gcc started warning about a suspicious
memcpy() call during the s2io_io_resume() function:

In function '__dev_addr_set',
    inlined from 'eth_hw_addr_set' at include/linux/etherdevice.h:318:2,
    inlined from 's2io_set_mac_addr' at drivers/net/ethernet/neterion/s2io.c:5205:2,
    inlined from 's2io_io_resume' at drivers/net/ethernet/neterion/s2io.c:8569:7:
arch/x86/include/asm/string_32.h:182:25: error: '__builtin_memcpy' accessing 6 bytes at offsets 0 and 2 overlaps 4 bytes at offset 2 [-Werror=restrict]
  182 | #define memcpy(t, f, n) __builtin_memcpy(t, f, n)
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/netdevice.h:4648:9: note: in expansion of macro 'memcpy'
 4648 |         memcpy(dev-&gt;dev_addr, addr, len);
      |         ^~~~~~

What apparently happened is that an old cleanup changed the calling
conventions for s2io_set_mac_addr() from taking an ethernet address
as a character array to taking a struct sockaddr, but one of the
callers was not changed at the same time.

Change it to instead call the low-level do_s2io_prog_unicast() function
that still takes the old argument type.

Fixes: 2fd376884558 ("S2io: Added support set_mac_address driver entry point")
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Link: https://lore.kernel.org/r/20211013143613.2049096-1-arnd@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
