From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Carl Huang <cjhuang@codeaurora.org>,
Wen Gong <wgong@codeaurora.org>,
Doug Anderson <dianders@chromium.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 42/48] net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue
Date: Thu, 19 Mar 2020 14:04:24 +0100 [thread overview]
Message-ID: <20200319123916.071662618@linuxfoundation.org> (raw)
In-Reply-To: <20200319123902.941451241@linuxfoundation.org>
From: Carl Huang <cjhuang@codeaurora.org>
commit ce57785bf91b1ceaef4f4bffed8a47dc0919c8da upstream.
The len used for skb_put_padto is wrong, it need to add len of hdr.
In qrtr_node_enqueue, local variable size_t len is assign with
skb->len, then skb_push(skb, sizeof(*hdr)) will add skb->len with
sizeof(*hdr), so local variable size_t len is not same with skb->len
after skb_push(skb, sizeof(*hdr)).
Then the purpose of skb_put_padto(skb, ALIGN(len, 4)) is to add add
pad to the end of the skb's data if skb->len is not aligned to 4, but
unfortunately it use len instead of skb->len, at this line, skb->len
is 32 bytes(sizeof(*hdr)) more than len, for example, len is 3 bytes,
then skb->len is 35 bytes(3 + 32), and ALIGN(len, 4) is 4 bytes, so
__skb_put_padto will do nothing after check size(35) < len(4), the
correct value should be 36(sizeof(*hdr) + ALIGN(len, 4) = 32 + 4),
then __skb_put_padto will pass check size(35) < len(36) and add 1 byte
to the end of skb's data, then logic is correct.
function of skb_push:
void *skb_push(struct sk_buff *skb, unsigned int len)
{
skb->data -= len;
skb->len += len;
if (unlikely(skb->data < skb->head))
skb_under_panic(skb, len, __builtin_return_address(0));
return skb->data;
}
function of skb_put_padto
static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
{
return __skb_put_padto(skb, len, true);
}
function of __skb_put_padto
static inline int __skb_put_padto(struct sk_buff *skb, unsigned int len,
bool free_on_error)
{
unsigned int size = skb->len;
if (unlikely(size < len)) {
len -= size;
if (__skb_pad(skb, len, free_on_error))
return -ENOMEM;
__skb_put(skb, len);
}
return 0;
}
Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Cc: Doug Anderson <dianders@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/qrtr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -203,7 +203,7 @@ static int qrtr_node_enqueue(struct qrtr
hdr->size = cpu_to_le32(len);
hdr->confirm_rx = 0;
- skb_put_padto(skb, ALIGN(len, 4));
+ skb_put_padto(skb, ALIGN(len, 4) + sizeof(*hdr));
mutex_lock(&node->ep_lock);
if (node->ep)
next prev parent reply other threads:[~2020-03-19 13:21 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-19 13:03 [PATCH 4.19 00/48] 4.19.112-rc1 review Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 01/48] perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 02/48] mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch() Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 03/48] mmc: sdhci-omap: Add platform specific reset callback Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 04/48] mmc: sdhci-omap: Workaround errata regarding SDR104/HS200 tuning failures (i929) Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 05/48] mmc: host: Fix Kconfig warnings on keystone_defconfig Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 06/48] mmc: sdhci-omap: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 07/48] mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for eMMC sleep command Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 08/48] mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for erase/trim/discard Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 09/48] mmc: core: Allow host controllers to require R1B for CMD6 Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 10/48] ACPI: watchdog: Allow disabling WDAT at boot Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 11/48] HID: apple: Add support for recent firmware on Magic Keyboards Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 12/48] HID: i2c-hid: add Trekstor Surfbook E11B to descriptor override Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 13/48] cfg80211: check reg_rule for NULL in handle_channel_custom() Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 14/48] scsi: libfc: free response frame from GPN_ID Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 15/48] net: usb: qmi_wwan: restore mtu min/max values after raw_ip switch Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 16/48] net: ks8851-ml: Fix IRQ handling and locking Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 17/48] mac80211: rx: avoid RCU list traversal under mutex Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 18/48] signal: avoid double atomic counter increments for user accounting Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 19/48] slip: not call free_netdev before rtnl_unlock in slip_open Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 20/48] hinic: fix a irq affinity bug Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 21/48] hinic: fix a bug of setting hw_ioctxt Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 22/48] net: rmnet: fix NULL pointer dereference in rmnet_newlink() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 23/48] net: rmnet: fix NULL pointer dereference in rmnet_changelink() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 24/48] net: rmnet: fix suspicious RCU usage Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 25/48] net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 26/48] net: rmnet: do not allow to change mux id if mux id is duplicated Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 27/48] net: rmnet: use upper/lower device infrastructure Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 28/48] net: rmnet: fix bridge mode bugs Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 29/48] net: rmnet: fix packet forwarding in rmnet bridge mode Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 30/48] sfc: fix timestamp reconstruction at 16-bit rollover points Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 31/48] jbd2: fix data races at struct journal_head Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 32/48] wimax: i2400: fix memory leak Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 33/48] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 34/48] mmc: sdhci-omap: Dont finish_mrq() on a command error during tuning Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 35/48] mmc: sdhci-omap: Fix Tuning procedure for temperatures < -20C Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 36/48] driver core: Remove the link if there is no driver with AUTO flag Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 37/48] driver core: Fix adding device links to probing suppliers Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 38/48] driver core: Make driver core own stateful device links Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 39/48] driver core: Add device link flag DL_FLAG_AUTOPROBE_CONSUMER Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 40/48] driver core: Remove device link creation limitation Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 41/48] driver core: Fix creation of device links with PM-runtime flags Greg Kroah-Hartman
2020-03-19 13:04 ` Greg Kroah-Hartman [this message]
2020-03-19 13:04 ` [PATCH 4.19 43/48] ARM: 8957/1: VDSO: Match ARMv8 timer in cntvct_functional() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 44/48] ARM: 8958/1: rename missed uaccess .fixup section Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 45/48] mm: slub: add missing TID bump in kmem_cache_alloc_bulk() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 46/48] HID: google: add moonball USB id Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 47/48] efi: Fix debugobjects warning on efi_rts_work Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 48/48] ipv4: ensure rcu_read_lock() in cipso_v4_error() Greg Kroah-Hartman
2020-03-19 19:42 ` [PATCH 4.19 00/48] 4.19.112-rc1 review Naresh Kamboju
2020-03-19 20:00 ` Ben Hutchings
2020-03-20 8:03 ` Greg Kroah-Hartman
2020-03-20 8:11 ` Greg Kroah-Hartman
2020-03-20 16:41 ` Naresh Kamboju
2020-03-21 7:09 ` Greg Kroah-Hartman
2020-03-20 17:58 ` Guenter Roeck
2020-03-21 7:08 ` Greg Kroah-Hartman
2020-03-22 1:25 ` Sasha Levin
2020-03-19 23:36 ` Guenter Roeck
2020-03-20 21:01 ` Chris Paterson
2020-03-21 7:13 ` Greg Kroah-Hartman
2020-03-21 0:40 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200319123916.071662618@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cjhuang@codeaurora.org \
--cc=davem@davemloft.net \
--cc=dianders@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wgong@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.