Add slcan and slip fixes that needed careful backporting

commit: b74a28dd970ae71c6a882f3b4e42b00b014962a6 [log] [tgz]
author: Ben Hutchings <ben@decadent.org.uk> Tue Jun 02 19:06:34 2020 +0100
committer: Ben Hutchings <ben@decadent.org.uk> Tue Jun 02 19:06:34 2020 +0100
tree: 5460886007e22a2215c8e7372e8dbc57788bbeb5
parent: cb95627be2c02d9144c54a3990b5e78c0fda4bc9 [diff]
diff --git a/queue-3.16/can-slcan-fix-use-after-free-read-in-slcan_open.patch b/queue-3.16/can-slcan-fix-use-after-free-read-in-slcan_open.patch
new file mode 100644
index 0000000..d70e3ae
--- /dev/null
+++ b/queue-3.16/can-slcan-fix-use-after-free-read-in-slcan_open.patch

@@ -0,0 +1,60 @@
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 27 Nov 2019 08:40:26 +0200
+Subject: can: slcan: Fix use-after-free Read in slcan_open
+
+commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.
+
+Slcan_open doesn't clean-up device which registration failed from the
+slcan_devs device list. On next open this list is iterated and freed
+device is accessed. Fix this by calling slc_free_netdev in error path.
+
+Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
+identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
+trace from the Syzbot slip report:
+
+__dump_stack lib/dump_stack.c:77 [inline]
+dump_stack+0x197/0x210 lib/dump_stack.c:118
+print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+kasan_report+0x12/0x20 mm/kasan/common.c:634
+__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+sl_sync drivers/net/slip/slip.c:725 [inline]
+slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
+tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
+tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
+tiocsetd drivers/tty/tty_io.c:2334 [inline]
+tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
+vfs_ioctl fs/ioctl.c:46 [inline]
+file_ioctl fs/ioctl.c:509 [inline]
+do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
+ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+__do_sys_ioctl fs/ioctl.c:720 [inline]
+__se_sys_ioctl fs/ioctl.c:718 [inline]
+__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
+entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: David Miller <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+[bwh: Backported to 3.16: slc_free_netdev() calls free_netdev() here, so
+ delete the direct call to free_netdev()]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -620,7 +620,7 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
+-	free_netdev(sl->dev);
++	slc_free_netdev(sl->dev);
+ 
+ err_exit:
+ 	rtnl_unlock();

diff --git a/queue-3.16/series b/queue-3.16/series
new file mode 100644
index 0000000..fcfaddb
--- /dev/null
+++ b/queue-3.16/series

@@ -0,0 +1,6 @@
+slcan-fix-memory-leak-in-error-path.patch
+can-slcan-fix-use-after-free-read-in-slcan_open.patch
+slcan-not-call-free_netdev-before-rtnl_unlock-in-slcan_open.patch
+slip-fix-memory-leak-in-slip_open-error-path.patch
+slip-fix-use-after-free-read-in-slip_open.patch
+slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch

diff --git a/queue-3.16/slcan-fix-memory-leak-in-error-path.patch b/queue-3.16/slcan-fix-memory-leak-in-error-path.patch
new file mode 100644
index 0000000..9ad34e0
--- /dev/null
+++ b/queue-3.16/slcan-fix-memory-leak-in-error-path.patch

@@ -0,0 +1,48 @@
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 13 Nov 2019 12:08:01 +0200
+Subject: slcan: Fix memory leak in error path
+
+commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.
+
+This patch is fixing memory leak reported by Syzkaller:
+
+BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
+  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
+  hex dump (first 32 bytes):
+    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  backtrace:
+    [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
+    [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
+    [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
+    [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
+    [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
+    [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
+    [<000000004de5a617>] tty_ioctl+0x48d/0x1590
+    [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
+    [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
+    [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
+    [<0000000053d0332e>] do_syscall_64+0x16f/0x580
+    [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+    [<000000008ea75434>] 0xffffffffffffffff
+
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/can/slcan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -620,6 +620,7 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
++	free_netdev(sl->dev);
+ 
+ err_exit:
+ 	rtnl_unlock();

diff --git a/queue-3.16/slcan-not-call-free_netdev-before-rtnl_unlock-in-slcan_open.patch b/queue-3.16/slcan-not-call-free_netdev-before-rtnl_unlock-in-slcan_open.patch
new file mode 100644
index 0000000..7aecefc
--- /dev/null
+++ b/queue-3.16/slcan-not-call-free_netdev-before-rtnl_unlock-in-slcan_open.patch

@@ -0,0 +1,34 @@
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Sat, 21 Mar 2020 14:08:29 +0100
+Subject: slcan: not call free_netdev before rtnl_unlock in slcan_open
+
+commit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 upstream.
+
+As the description before netdev_run_todo, we cannot call free_netdev
+before rtnl_unlock, fix it by reorder the code.
+
+This patch is a 1:1 copy of upstream slip.c commit f596c87005f7
+("slip: not call free_netdev before rtnl_unlock in slip_open").
+
+Reported-by: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/can/slcan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -620,7 +620,10 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
++	/* do not call free_netdev before rtnl_unlock */
++	rtnl_unlock();
+ 	slc_free_netdev(sl->dev);
++	return err;
+ 
+ err_exit:
+ 	rtnl_unlock();

diff --git a/queue-3.16/slip-fix-memory-leak-in-slip_open-error-path.patch b/queue-3.16/slip-fix-memory-leak-in-slip_open-error-path.patch
new file mode 100644
index 0000000..8f449d8
--- /dev/null
+++ b/queue-3.16/slip-fix-memory-leak-in-slip_open-error-path.patch

@@ -0,0 +1,52 @@
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 13 Nov 2019 13:45:02 +0200
+Subject: slip: Fix memory leak in slip_open error path
+
+commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa upstream.
+
+Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
+by Syzkaller in slcan. Same issue exists in slip.c and this patch is
+addressing the leak in slip.c.
+
+Here is the slcan memory leak trace reported by Syzkaller:
+
+BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
+  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
+  hex dump (first 32 bytes):
+    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  backtrace:
+    [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
+    [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
+    [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
+    [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
+    [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
+    [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
+    [<000000004de5a617>] tty_ioctl+0x48d/0x1590
+    [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
+    [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
+    [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
+    [<0000000053d0332e>] do_syscall_64+0x16f/0x580
+    [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+    [<000000008ea75434>] 0xfffffffffffffff
+
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/slip/slip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -867,6 +867,7 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
++	free_netdev(sl->dev);
+ 
+ err_exit:
+ 	rtnl_unlock();

diff --git a/queue-3.16/slip-fix-use-after-free-read-in-slip_open.patch b/queue-3.16/slip-fix-use-after-free-read-in-slip_open.patch
new file mode 100644
index 0000000..e33bd05
--- /dev/null
+++ b/queue-3.16/slip-fix-use-after-free-read-in-slip_open.patch

@@ -0,0 +1,57 @@
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Mon, 25 Nov 2019 14:23:43 +0200
+Subject: slip: Fix use-after-free Read in slip_open
+
+commit e58c1912418980f57ba2060017583067f5f71e52 upstream.
+
+Slip_open doesn't clean-up device which registration failed from the
+slip_devs device list. On next open after failure this list is iterated
+and freed device is accessed. Fix this by calling sl_free_netdev in error
+path.
+
+Here is the trace from the Syzbot:
+
+__dump_stack lib/dump_stack.c:77 [inline]
+dump_stack+0x197/0x210 lib/dump_stack.c:118
+print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+kasan_report+0x12/0x20 mm/kasan/common.c:634
+__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+sl_sync drivers/net/slip/slip.c:725 [inline]
+slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
+tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
+tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
+tiocsetd drivers/tty/tty_io.c:2334 [inline]
+tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
+vfs_ioctl fs/ioctl.c:46 [inline]
+file_ioctl fs/ioctl.c:509 [inline]
+do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
+ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+__do_sys_ioctl fs/ioctl.c:720 [inline]
+__se_sys_ioctl fs/ioctl.c:718 [inline]
+__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
+entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
+Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
+Cc: David Miller <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: sl_free_netdev() calls free_netdev() here, so
+ delete the direct call to free_netdev()]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -867,7 +867,7 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
+-	free_netdev(sl->dev);
++	sl_free_netdev(sl->dev);
+ 
+ err_exit:
+ 	rtnl_unlock();

diff --git a/queue-3.16/slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch b/queue-3.16/slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch
new file mode 100644
index 0000000..e022c36
--- /dev/null
+++ b/queue-3.16/slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch

@@ -0,0 +1,31 @@
+From: yangerkun <yangerkun@huawei.com>
+Date: Wed, 26 Feb 2020 11:54:35 +0800
+Subject: slip: not call free_netdev before rtnl_unlock in slip_open
+
+commit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 upstream.
+
+As the description before netdev_run_todo, we cannot call free_netdev
+before rtnl_unlock, fix it by reorder the code.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/slip/slip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -867,7 +867,10 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
++	/* do not call free_netdev before rtnl_unlock */
++	rtnl_unlock();
+ 	sl_free_netdev(sl->dev);
++	return err;
+ 
+ err_exit:
+ 	rtnl_unlock();
commit	b74a28dd970ae71c6a882f3b4e42b00b014962a6	[log] [tgz]
author	Ben Hutchings <ben@decadent.org.uk>	Tue Jun 02 19:06:34 2020 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	Tue Jun 02 19:06:34 2020 +0100
tree	5460886007e22a2215c8e7372e8dbc57788bbeb5
parent	cb95627be2c02d9144c54a3990b5e78c0fda4bc9 [diff]