Commit 87935eee authored by Linus Torvalds's avatar Linus Torvalds

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull more networking fixes from David Miller:
 "Some more bug fixes have trickled in, we have:

  1) Local MAC entries properly in mscc driver, from Allan W. Nielsen.

  2) Eric Dumazet found some more of the typical "pskb_may_pull() -->
     oops forgot to reload the header pointer" bugs in ipv6 tunnel
     handling.

  3) Bad SKB socket pointer in ipv6 fragmentation handling, from Herbert
     Xu.

  4) Overflow fix in sk_msg_clone(), from Vakul Garg.

  5) Validate address lengths in AF_PACKET, from Willem de Bruijn"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  qmi_wwan: Fix qmap header retrieval in qmimux_rx_fixup
  qmi_wwan: Add support for Fibocom NL678 series
  tls: Do not call sk_memcopy_from_iter with zero length
  ipv6: tunnels: fix two use-after-free
  Prevent overflow of sk_msg in sk_msg_clone()
  packet: validate address length
  net: netxen: fix a missing check and an uninitialized use
  tcp: fix a race in inet_diag_dump_icsk()
  MAINTAINERS: update cxgb4 and cxgb3 maintainer
  ipv6: frags: Fix bogus skb->sk in reassembled packets
  mscc: Configured MAC entries should be locked.
parents 5092adb2 d667044f
...@@ -4057,7 +4057,7 @@ S: Maintained ...@@ -4057,7 +4057,7 @@ S: Maintained
F: drivers/media/dvb-frontends/cxd2820r* F: drivers/media/dvb-frontends/cxd2820r*
CXGB3 ETHERNET DRIVER (CXGB3) CXGB3 ETHERNET DRIVER (CXGB3)
M: Santosh Raspatur <santosh@chelsio.com> M: Arjun Vynipadath <arjun@chelsio.com>
L: netdev@vger.kernel.org L: netdev@vger.kernel.org
W: http://www.chelsio.com W: http://www.chelsio.com
S: Supported S: Supported
...@@ -4086,7 +4086,7 @@ S: Supported ...@@ -4086,7 +4086,7 @@ S: Supported
F: drivers/crypto/chelsio F: drivers/crypto/chelsio
CXGB4 ETHERNET DRIVER (CXGB4) CXGB4 ETHERNET DRIVER (CXGB4)
M: Ganesh Goudar <ganeshgr@chelsio.com> M: Arjun Vynipadath <arjun@chelsio.com>
L: netdev@vger.kernel.org L: netdev@vger.kernel.org
W: http://www.chelsio.com W: http://www.chelsio.com
S: Supported S: Supported
......
...@@ -747,7 +747,7 @@ static int ocelot_fdb_add(struct ndmsg *ndm, struct nlattr *tb[], ...@@ -747,7 +747,7 @@ static int ocelot_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
} }
return ocelot_mact_learn(ocelot, port->chip_port, addr, vid, return ocelot_mact_learn(ocelot, port->chip_port, addr, vid,
ENTRYTYPE_NORMAL); ENTRYTYPE_LOCKED);
} }
static int ocelot_fdb_del(struct ndmsg *ndm, struct nlattr *tb[], static int ocelot_fdb_del(struct ndmsg *ndm, struct nlattr *tb[],
......
...@@ -1125,7 +1125,8 @@ netxen_validate_firmware(struct netxen_adapter *adapter) ...@@ -1125,7 +1125,8 @@ netxen_validate_firmware(struct netxen_adapter *adapter)
return -EINVAL; return -EINVAL;
} }
val = nx_get_bios_version(adapter); val = nx_get_bios_version(adapter);
netxen_rom_fast_read(adapter, NX_BIOS_VERSION_OFFSET, (int *)&bios); if (netxen_rom_fast_read(adapter, NX_BIOS_VERSION_OFFSET, (int *)&bios))
return -EIO;
if ((__force u32)val != bios) { if ((__force u32)val != bios) {
dev_err(&pdev->dev, "%s: firmware bios is incompatible\n", dev_err(&pdev->dev, "%s: firmware bios is incompatible\n",
fw_name[fw_type]); fw_name[fw_type]);
......
...@@ -151,17 +151,18 @@ static bool qmimux_has_slaves(struct usbnet *dev) ...@@ -151,17 +151,18 @@ static bool qmimux_has_slaves(struct usbnet *dev)
static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
{ {
unsigned int len, offset = sizeof(struct qmimux_hdr); unsigned int len, offset = 0;
struct qmimux_hdr *hdr; struct qmimux_hdr *hdr;
struct net_device *net; struct net_device *net;
struct sk_buff *skbn; struct sk_buff *skbn;
u8 qmimux_hdr_sz = sizeof(*hdr);
while (offset < skb->len) { while (offset + qmimux_hdr_sz < skb->len) {
hdr = (struct qmimux_hdr *)skb->data; hdr = (struct qmimux_hdr *)(skb->data + offset);
len = be16_to_cpu(hdr->pkt_len); len = be16_to_cpu(hdr->pkt_len);
/* drop the packet, bogus length */ /* drop the packet, bogus length */
if (offset + len > skb->len) if (offset + len + qmimux_hdr_sz > skb->len)
return 0; return 0;
/* control packet, we do not know what to do */ /* control packet, we do not know what to do */
...@@ -176,7 +177,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) ...@@ -176,7 +177,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
return 0; return 0;
skbn->dev = net; skbn->dev = net;
switch (skb->data[offset] & 0xf0) { switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) {
case 0x40: case 0x40:
skbn->protocol = htons(ETH_P_IP); skbn->protocol = htons(ETH_P_IP);
break; break;
...@@ -188,12 +189,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) ...@@ -188,12 +189,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
goto skip; goto skip;
} }
skb_put_data(skbn, skb->data + offset, len); skb_put_data(skbn, skb->data + offset + qmimux_hdr_sz, len);
if (netif_rx(skbn) != NET_RX_SUCCESS) if (netif_rx(skbn) != NET_RX_SUCCESS)
return 0; return 0;
skip: skip:
offset += len + sizeof(struct qmimux_hdr); offset += len + qmimux_hdr_sz;
} }
return 1; return 1;
} }
...@@ -1265,6 +1266,7 @@ static const struct usb_device_id products[] = { ...@@ -1265,6 +1266,7 @@ static const struct usb_device_id products[] = {
{QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
{QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
{QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */ {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */
{QMI_QUIRK_SET_DTR(0x2cb7, 0x0104, 4)}, /* Fibocom NL678 series */
/* 4. Gobi 1000 devices */ /* 4. Gobi 1000 devices */
{QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
......
...@@ -94,6 +94,9 @@ int sk_msg_clone(struct sock *sk, struct sk_msg *dst, struct sk_msg *src, ...@@ -94,6 +94,9 @@ int sk_msg_clone(struct sock *sk, struct sk_msg *dst, struct sk_msg *src,
} }
while (len) { while (len) {
if (sk_msg_full(dst))
return -ENOSPC;
sge_len = sge->length - off; sge_len = sge->length - off;
sge_off = sge->offset + off; sge_off = sge->offset + off;
if (sge_len > len) if (sge_len > len)
......
...@@ -998,7 +998,9 @@ void inet_diag_dump_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *skb, ...@@ -998,7 +998,9 @@ void inet_diag_dump_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *skb,
if (!inet_diag_bc_sk(bc, sk)) if (!inet_diag_bc_sk(bc, sk))
goto next_normal; goto next_normal;
sock_hold(sk); if (!refcount_inc_not_zero(&sk->sk_refcnt))
goto next_normal;
num_arr[accum] = num; num_arr[accum] = num;
sk_arr[accum] = sk; sk_arr[accum] = sk;
if (++accum == SKARR_SZ) if (++accum == SKARR_SZ)
......
...@@ -901,6 +901,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto, ...@@ -901,6 +901,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto,
goto drop; goto drop;
if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
goto drop; goto drop;
ipv6h = ipv6_hdr(skb);
if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr))
goto drop; goto drop;
if (iptunnel_pull_header(skb, 0, tpi->proto, false)) if (iptunnel_pull_header(skb, 0, tpi->proto, false))
......
...@@ -318,6 +318,7 @@ static int vti6_rcv(struct sk_buff *skb) ...@@ -318,6 +318,7 @@ static int vti6_rcv(struct sk_buff *skb)
return 0; return 0;
} }
ipv6h = ipv6_hdr(skb);
if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) { if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
t->dev->stats.rx_dropped++; t->dev->stats.rx_dropped++;
rcu_read_unlock(); rcu_read_unlock();
......
...@@ -384,6 +384,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, ...@@ -384,6 +384,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
if (skb_try_coalesce(head, fp, &headstolen, &delta)) { if (skb_try_coalesce(head, fp, &headstolen, &delta)) {
kfree_skb_partial(fp, headstolen); kfree_skb_partial(fp, headstolen);
} else { } else {
fp->sk = NULL;
if (!skb_shinfo(head)->frag_list) if (!skb_shinfo(head)->frag_list)
skb_shinfo(head)->frag_list = fp; skb_shinfo(head)->frag_list = fp;
head->data_len += fp->len; head->data_len += fp->len;
......
...@@ -2627,6 +2627,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) ...@@ -2627,6 +2627,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
proto = saddr->sll_protocol; proto = saddr->sll_protocol;
addr = saddr->sll_addr; addr = saddr->sll_addr;
dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
if (addr && dev && saddr->sll_halen < dev->addr_len)
goto out;
} }
err = -ENXIO; err = -ENXIO;
...@@ -2825,6 +2827,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) ...@@ -2825,6 +2827,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
proto = saddr->sll_protocol; proto = saddr->sll_protocol;
addr = saddr->sll_addr; addr = saddr->sll_addr;
dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
if (addr && dev && saddr->sll_halen < dev->addr_len)
goto out;
} }
err = -ENXIO; err = -ENXIO;
......
...@@ -935,10 +935,12 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) ...@@ -935,10 +935,12 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
tls_ctx->tx.overhead_size); tls_ctx->tx.overhead_size);
} }
ret = sk_msg_memcopy_from_iter(sk, &msg->msg_iter, msg_pl, if (try_to_copy) {
try_to_copy); ret = sk_msg_memcopy_from_iter(sk, &msg->msg_iter,
if (ret < 0) msg_pl, try_to_copy);
goto trim_sgl; if (ret < 0)
goto trim_sgl;
}
/* Open records defined only if successfully copied, otherwise /* Open records defined only if successfully copied, otherwise
* we would trim the sg but not reset the open record frags. * we would trim the sg but not reset the open record frags.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment