* [PATCH AUTOSEL 5.4 1/3] af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
@ 2022-03-21 21:53 Sasha Levin
2022-03-21 21:53 ` [PATCH AUTOSEL 5.4 2/3] net: ipv6: fix skb_over_panic in __ip6_append_data Sasha Levin
2022-03-21 21:53 ` [PATCH AUTOSEL 5.4 3/3] net: dsa: microchip: add spi_device_id tables Sasha Levin
0 siblings, 2 replies; 3+ messages in thread
From: Sasha Levin @ 2022-03-21 21:53 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Haimin Zhang, TCS Robot, Steffen Klassert, Sasha Levin, davem,
kuba, pabeni, netdev
From: Haimin Zhang <tcs_kernel@tencent.com>
[ Upstream commit 9a564bccb78a76740ea9d75a259942df8143d02c ]
Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
to initialize the buffer of supp_skb to fix a kernel-info-leak issue.
1) Function pfkey_register calls compose_sadb_supported to request
a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate
a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then
compose_sadb_supported treats the memory as a struct sadb_supported and
begins to initialize. But it just initializes the field sadb_supported_len
and field sadb_supported_exttype without field sadb_supported_reserved.
Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/key/af_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 406e13478b01..2ac9560020f9 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1703,7 +1703,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad
xfrm_probe_algs();
- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL);
+ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO);
if (!supp_skb) {
if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC)
pfk->registered &= ~(1<<hdr->sadb_msg_satype);
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH AUTOSEL 5.4 2/3] net: ipv6: fix skb_over_panic in __ip6_append_data
2022-03-21 21:53 [PATCH AUTOSEL 5.4 1/3] af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register Sasha Levin
@ 2022-03-21 21:53 ` Sasha Levin
2022-03-21 21:53 ` [PATCH AUTOSEL 5.4 3/3] net: dsa: microchip: add spi_device_id tables Sasha Levin
1 sibling, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2022-03-21 21:53 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Tadeusz Struk, syzbot+e223cf47ec8ae183f2a0, Willem de Bruijn,
Jakub Kicinski, Sasha Levin, davem, yoshfuji, dsahern, pabeni,
netdev
From: Tadeusz Struk <tadeusz.struk@linaro.org>
[ Upstream commit 5e34af4142ffe68f01c8a9acae83300f8911e20c ]
Syzbot found a kernel bug in the ipv6 stack:
LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580
The reproducer triggers it by sending a crafted message via sendmmsg()
call, which triggers skb_over_panic, and crashes the kernel:
skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575
head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0
dev:<NULL>
Update the check that prevents an invalid packet with MTU equal
to the fregment header size to eat up all the space for payload.
The reproducer can be found here:
LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000
Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Acked-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20220310232538.1044947-1-tadeusz.struk@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_output.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 918a9520d1f1..360679600957 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1429,8 +1429,8 @@ static int __ip6_append_data(struct sock *sk,
sizeof(struct frag_hdr) : 0) +
rt->rt6i_nfheader_len;
- if (mtu < fragheaderlen ||
- ((mtu - fragheaderlen) & ~7) + fragheaderlen < sizeof(struct frag_hdr))
+ if (mtu <= fragheaderlen ||
+ ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr))
goto emsgsize;
maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen -
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH AUTOSEL 5.4 3/3] net: dsa: microchip: add spi_device_id tables
2022-03-21 21:53 [PATCH AUTOSEL 5.4 1/3] af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register Sasha Levin
2022-03-21 21:53 ` [PATCH AUTOSEL 5.4 2/3] net: ipv6: fix skb_over_panic in __ip6_append_data Sasha Levin
@ 2022-03-21 21:53 ` Sasha Levin
1 sibling, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2022-03-21 21:53 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Claudiu Beznea, David S . Miller, Sasha Levin, woojung.huh,
UNGLinuxDriver, andrew, vivien.didelot, f.fainelli, olteanv,
kuba, pabeni, netdev
From: Claudiu Beznea <claudiu.beznea@microchip.com>
[ Upstream commit e981bc74aefc6a177b50c16cfa7023599799cf74 ]
Add spi_device_id tables to avoid logs like "SPI driver ksz9477-switch
has no spi_device_id".
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/microchip/ksz8795_spi.c | 11 +++++++++++
drivers/net/dsa/microchip/ksz9477_spi.c | 12 ++++++++++++
2 files changed, 23 insertions(+)
diff --git a/drivers/net/dsa/microchip/ksz8795_spi.c b/drivers/net/dsa/microchip/ksz8795_spi.c
index 8b00f8e6c02f..5639c5c59e25 100644
--- a/drivers/net/dsa/microchip/ksz8795_spi.c
+++ b/drivers/net/dsa/microchip/ksz8795_spi.c
@@ -86,12 +86,23 @@ static const struct of_device_id ksz8795_dt_ids[] = {
};
MODULE_DEVICE_TABLE(of, ksz8795_dt_ids);
+static const struct spi_device_id ksz8795_spi_ids[] = {
+ { "ksz8765" },
+ { "ksz8794" },
+ { "ksz8795" },
+ { "ksz8863" },
+ { "ksz8873" },
+ { },
+};
+MODULE_DEVICE_TABLE(spi, ksz8795_spi_ids);
+
static struct spi_driver ksz8795_spi_driver = {
.driver = {
.name = "ksz8795-switch",
.owner = THIS_MODULE,
.of_match_table = of_match_ptr(ksz8795_dt_ids),
},
+ .id_table = ksz8795_spi_ids,
.probe = ksz8795_spi_probe,
.remove = ksz8795_spi_remove,
.shutdown = ksz8795_spi_shutdown,
diff --git a/drivers/net/dsa/microchip/ksz9477_spi.c b/drivers/net/dsa/microchip/ksz9477_spi.c
index 1142768969c2..9bda83d063e8 100644
--- a/drivers/net/dsa/microchip/ksz9477_spi.c
+++ b/drivers/net/dsa/microchip/ksz9477_spi.c
@@ -88,12 +88,24 @@ static const struct of_device_id ksz9477_dt_ids[] = {
};
MODULE_DEVICE_TABLE(of, ksz9477_dt_ids);
+static const struct spi_device_id ksz9477_spi_ids[] = {
+ { "ksz9477" },
+ { "ksz9897" },
+ { "ksz9893" },
+ { "ksz9563" },
+ { "ksz8563" },
+ { "ksz9567" },
+ { },
+};
+MODULE_DEVICE_TABLE(spi, ksz9477_spi_ids);
+
static struct spi_driver ksz9477_spi_driver = {
.driver = {
.name = "ksz9477-switch",
.owner = THIS_MODULE,
.of_match_table = of_match_ptr(ksz9477_dt_ids),
},
+ .id_table = ksz9477_spi_ids,
.probe = ksz9477_spi_probe,
.remove = ksz9477_spi_remove,
.shutdown = ksz9477_spi_shutdown,
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-21 23:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-21 21:53 [PATCH AUTOSEL 5.4 1/3] af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register Sasha Levin
2022-03-21 21:53 ` [PATCH AUTOSEL 5.4 2/3] net: ipv6: fix skb_over_panic in __ip6_append_data Sasha Levin
2022-03-21 21:53 ` [PATCH AUTOSEL 5.4 3/3] net: dsa: microchip: add spi_device_id tables Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.