aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2018-12-21 17:21:17 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2018-12-21 17:21:17 -0500
commit87935eee57705e9b6df506c5df8b92d6a0b77a51 (patch)
tree5febc659c279ba3acc6808ce8b37416870b54b27
parent5092adb2272e1760030a889aa4a3e9cf1d5f74b5 (diff)
parentd667044f49513d55fcfefe4fa8f8d96091782901 (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull more networking fixes from David Miller: "Some more bug fixes have trickled in, we have: 1) Local MAC entries properly in mscc driver, from Allan W. Nielsen. 2) Eric Dumazet found some more of the typical "pskb_may_pull() --> oops forgot to reload the header pointer" bugs in ipv6 tunnel handling. 3) Bad SKB socket pointer in ipv6 fragmentation handling, from Herbert Xu. 4) Overflow fix in sk_msg_clone(), from Vakul Garg. 5) Validate address lengths in AF_PACKET, from Willem de Bruijn" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: qmi_wwan: Fix qmap header retrieval in qmimux_rx_fixup qmi_wwan: Add support for Fibocom NL678 series tls: Do not call sk_memcopy_from_iter with zero length ipv6: tunnels: fix two use-after-free Prevent overflow of sk_msg in sk_msg_clone() packet: validate address length net: netxen: fix a missing check and an uninitialized use tcp: fix a race in inet_diag_dump_icsk() MAINTAINERS: update cxgb4 and cxgb3 maintainer ipv6: frags: Fix bogus skb->sk in reassembled packets mscc: Configured MAC entries should be locked.
Diffstat
-rw-r--r--MAINTAINERS4
-rw-r--r--drivers/net/ethernet/mscc/ocelot.c2
-rw-r--r--drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c3
-rw-r--r--drivers/net/usb/qmi_wwan.c16
-rw-r--r--net/core/skmsg.c3
-rw-r--r--net/ipv4/inet_diag.c4
-rw-r--r--net/ipv6/ip6_tunnel.c1
-rw-r--r--net/ipv6/ip6_vti.c1
-rw-r--r--net/ipv6/reassembly.c1
-rw-r--r--net/packet/af_packet.c4
-rw-r--r--net/tls/tls_sw.c10
11 files changed, 33 insertions, 16 deletions
diff --git a/MAINTAINERS b/MAINTAINERS
index 842b697a1511..f3a5c97e3419 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4057,7 +4057,7 @@ S: Maintained
4057F: drivers/media/dvb-frontends/cxd2820r* 4057F: drivers/media/dvb-frontends/cxd2820r*
4058 4058
4059CXGB3 ETHERNET DRIVER (CXGB3) 4059CXGB3 ETHERNET DRIVER (CXGB3)
4060M: Santosh Raspatur <santosh@chelsio.com> 4060M: Arjun Vynipadath <arjun@chelsio.com>
4061L: netdev@vger.kernel.org 4061L: netdev@vger.kernel.org
4062W: http://www.chelsio.com 4062W: http://www.chelsio.com
4063S: Supported 4063S: Supported
@@ -4086,7 +4086,7 @@ S: Supported
4086F: drivers/crypto/chelsio 4086F: drivers/crypto/chelsio
4087 4087
4088CXGB4 ETHERNET DRIVER (CXGB4) 4088CXGB4 ETHERNET DRIVER (CXGB4)
4089M: Ganesh Goudar <ganeshgr@chelsio.com> 4089M: Arjun Vynipadath <arjun@chelsio.com>
4090L: netdev@vger.kernel.org 4090L: netdev@vger.kernel.org
4091W: http://www.chelsio.com 4091W: http://www.chelsio.com
4092S: Supported 4092S: Supported
diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
index 3238b9ee42f3..c84074fa4c95 100644
--- a/drivers/net/ethernet/mscc/ocelot.c
+++ b/drivers/net/ethernet/mscc/ocelot.c
@@ -747,7 +747,7 @@ static int ocelot_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
747 } 747 }
748 748
749 return ocelot_mact_learn(ocelot, port->chip_port, addr, vid, 749 return ocelot_mact_learn(ocelot, port->chip_port, addr, vid,
750 ENTRYTYPE_NORMAL); 750 ENTRYTYPE_LOCKED);
751} 751}
752 752
753static int ocelot_fdb_del(struct ndmsg *ndm, struct nlattr *tb[], 753static int ocelot_fdb_del(struct ndmsg *ndm, struct nlattr *tb[],
diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c
index 0ea141ece19e..6547a9dd5935 100644
--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c
+++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c
@@ -1125,7 +1125,8 @@ netxen_validate_firmware(struct netxen_adapter *adapter)
1125 return -EINVAL; 1125 return -EINVAL;
1126 } 1126 }
1127 val = nx_get_bios_version(adapter); 1127 val = nx_get_bios_version(adapter);
1128 netxen_rom_fast_read(adapter, NX_BIOS_VERSION_OFFSET, (int *)&bios); 1128 if (netxen_rom_fast_read(adapter, NX_BIOS_VERSION_OFFSET, (int *)&bios))
1129 return -EIO;
1129 if ((__force u32)val != bios) { 1130 if ((__force u32)val != bios) {
1130 dev_err(&pdev->dev, "%s: firmware bios is incompatible\n", 1131 dev_err(&pdev->dev, "%s: firmware bios is incompatible\n",
1131 fw_name[fw_type]); 1132 fw_name[fw_type]);
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index c8872dd5ff5e..774e1ff01c9a 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -151,17 +151,18 @@ static bool qmimux_has_slaves(struct usbnet *dev)
151 151
152static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) 152static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
153{ 153{
154 unsigned int len, offset = sizeof(struct qmimux_hdr); 154 unsigned int len, offset = 0;
155 struct qmimux_hdr *hdr; 155 struct qmimux_hdr *hdr;
156 struct net_device *net; 156 struct net_device *net;
157 struct sk_buff *skbn; 157 struct sk_buff *skbn;
158 u8 qmimux_hdr_sz = sizeof(*hdr);
158 159
159 while (offset < skb->len) { 160 while (offset + qmimux_hdr_sz < skb->len) {
160 hdr = (struct qmimux_hdr *)skb->data; 161 hdr = (struct qmimux_hdr *)(skb->data + offset);
161 len = be16_to_cpu(hdr->pkt_len); 162 len = be16_to_cpu(hdr->pkt_len);
162 163
163 /* drop the packet, bogus length */ 164 /* drop the packet, bogus length */
164 if (offset + len > skb->len) 165 if (offset + len + qmimux_hdr_sz > skb->len)
165 return 0; 166 return 0;
166 167
167 /* control packet, we do not know what to do */ 168 /* control packet, we do not know what to do */
@@ -176,7 +177,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
176 return 0; 177 return 0;
177 skbn->dev = net; 178 skbn->dev = net;
178 179
179 switch (skb->data[offset] & 0xf0) { 180 switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) {
180 case 0x40: 181 case 0x40:
181 skbn->protocol = htons(ETH_P_IP); 182 skbn->protocol = htons(ETH_P_IP);
182 break; 183 break;
@@ -188,12 +189,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
188 goto skip; 189 goto skip;
189 } 190 }
190 191
191 skb_put_data(skbn, skb->data + offset, len); 192 skb_put_data(skbn, skb->data + offset + qmimux_hdr_sz, len);
192 if (netif_rx(skbn) != NET_RX_SUCCESS) 193 if (netif_rx(skbn) != NET_RX_SUCCESS)
193 return 0; 194 return 0;
194 195
195skip: 196skip:
196 offset += len + sizeof(struct qmimux_hdr); 197 offset += len + qmimux_hdr_sz;
197 } 198 }
198 return 1; 199 return 1;
199} 200}
@@ -1265,6 +1266,7 @@ static const struct usb_device_id products[] = {
1265 {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */ 1266 {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
1266 {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */ 1267 {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
1267 {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */ 1268 {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */
1269 {QMI_QUIRK_SET_DTR(0x2cb7, 0x0104, 4)}, /* Fibocom NL678 series */
1268 1270
1269 /* 4. Gobi 1000 devices */ 1271 /* 4. Gobi 1000 devices */
1270 {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ 1272 {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 56a99d0c9aa0..b7dbb3c976cd 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -94,6 +94,9 @@ int sk_msg_clone(struct sock *sk, struct sk_msg *dst, struct sk_msg *src,
94 } 94 }
95 95
96 while (len) { 96 while (len) {
97 if (sk_msg_full(dst))
98 return -ENOSPC;
99
97 sge_len = sge->length - off; 100 sge_len = sge->length - off;
98 sge_off = sge->offset + off; 101 sge_off = sge->offset + off;
99 if (sge_len > len) 102 if (sge_len > len)
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 4e5bc4b2f14e..1a4e9ff02762 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -998,7 +998,9 @@ next_chunk:
998 if (!inet_diag_bc_sk(bc, sk)) 998 if (!inet_diag_bc_sk(bc, sk))
999 goto next_normal; 999 goto next_normal;
1000 1000
1001 sock_hold(sk); 1001 if (!refcount_inc_not_zero(&sk->sk_refcnt))
1002 goto next_normal;
1003
1002 num_arr[accum] = num; 1004 num_arr[accum] = num;
1003 sk_arr[accum] = sk; 1005 sk_arr[accum] = sk;
1004 if (++accum == SKARR_SZ) 1006 if (++accum == SKARR_SZ)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index a9d06d4dd057..99179b9c8384 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -901,6 +901,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto,
901 goto drop; 901 goto drop;
902 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) 902 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
903 goto drop; 903 goto drop;
904 ipv6h = ipv6_hdr(skb);
904 if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) 905 if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr))
905 goto drop; 906 goto drop;
906 if (iptunnel_pull_header(skb, 0, tpi->proto, false)) 907 if (iptunnel_pull_header(skb, 0, tpi->proto, false))
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index eeaf7455d51e..706fe42e4928 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -318,6 +318,7 @@ static int vti6_rcv(struct sk_buff *skb)
318 return 0; 318 return 0;
319 } 319 }
320 320
321 ipv6h = ipv6_hdr(skb);
321 if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) { 322 if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
322 t->dev->stats.rx_dropped++; 323 t->dev->stats.rx_dropped++;
323 rcu_read_unlock(); 324 rcu_read_unlock();
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index aa26c45486d9..a5bb59ee50ac 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -384,6 +384,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
384 if (skb_try_coalesce(head, fp, &headstolen, &delta)) { 384 if (skb_try_coalesce(head, fp, &headstolen, &delta)) {
385 kfree_skb_partial(fp, headstolen); 385 kfree_skb_partial(fp, headstolen);
386 } else { 386 } else {
387 fp->sk = NULL;
387 if (!skb_shinfo(head)->frag_list) 388 if (!skb_shinfo(head)->frag_list)
388 skb_shinfo(head)->frag_list = fp; 389 skb_shinfo(head)->frag_list = fp;
389 head->data_len += fp->len; 390 head->data_len += fp->len;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 6655793765b2..5dda263b4a0a 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2627,6 +2627,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
2627 proto = saddr->sll_protocol; 2627 proto = saddr->sll_protocol;
2628 addr = saddr->sll_addr; 2628 addr = saddr->sll_addr;
2629 dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); 2629 dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
2630 if (addr && dev && saddr->sll_halen < dev->addr_len)
2631 goto out;
2630 } 2632 }
2631 2633
2632 err = -ENXIO; 2634 err = -ENXIO;
@@ -2825,6 +2827,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
2825 proto = saddr->sll_protocol; 2827 proto = saddr->sll_protocol;
2826 addr = saddr->sll_addr; 2828 addr = saddr->sll_addr;
2827 dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); 2829 dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
2830 if (addr && dev && saddr->sll_halen < dev->addr_len)
2831 goto out;
2828 } 2832 }
2829 2833
2830 err = -ENXIO; 2834 err = -ENXIO;
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 7b1af8b59cd2..29b27858fff1 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -935,10 +935,12 @@ fallback_to_reg_send:
935 tls_ctx->tx.overhead_size); 935 tls_ctx->tx.overhead_size);
936 } 936 }
937 937
938 ret = sk_msg_memcopy_from_iter(sk, &msg->msg_iter, msg_pl, 938 if (try_to_copy) {
939 try_to_copy); 939 ret = sk_msg_memcopy_from_iter(sk, &msg->msg_iter,
940 if (ret < 0) 940 msg_pl, try_to_copy);
941 goto trim_sgl; 941 if (ret < 0)
942 goto trim_sgl;
943 }
942 944
943 /* Open records defined only if successfully copied, otherwise 945 /* Open records defined only if successfully copied, otherwise
944 * we would trim the sg but not reset the open record frags. 946 * we would trim the sg but not reset the open record frags.
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-29 01:51:43 -0400