* [PATCH AUTOSEL 3.18 03/12] xfrm: Fix bucket count reported to userspace
[not found] <20181226225741.151608-1-sashal@kernel.org>
@ 2018-12-26 22:57 ` Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 05/12] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Sasha Levin
` (5 subsequent siblings)
6 siblings, 0 replies; 7+ messages in thread
From: Sasha Levin @ 2018-12-26 22:57 UTC (permalink / raw)
To: stable, linux-kernel
Cc: Benjamin Poirier, Steffen Klassert, Sasha Levin, netdev
From: Benjamin Poirier <bpoirier@suse.com>
[ Upstream commit ca92e173ab34a4f7fc4128bd372bd96f1af6f507 ]
sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the
hash mask.
Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 1dbffea4da34..3ac1565e4d4c 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -623,7 +623,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
{
spin_lock_bh(&net->xfrm.xfrm_state_lock);
si->sadcnt = net->xfrm.state_num;
- si->sadhcnt = net->xfrm.state_hmask;
+ si->sadhcnt = net->xfrm.state_hmask + 1;
si->sadhmcnt = xfrm_state_hashmax;
spin_unlock_bh(&net->xfrm.xfrm_state_lock);
}
--
2.19.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH AUTOSEL 3.18 05/12] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
[not found] <20181226225741.151608-1-sashal@kernel.org>
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 03/12] xfrm: Fix bucket count reported to userspace Sasha Levin
@ 2018-12-26 22:57 ` Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 06/12] bnx2x: Clear fip MAC when fcoe offload support is disabled Sasha Levin
` (4 subsequent siblings)
6 siblings, 0 replies; 7+ messages in thread
From: Sasha Levin @ 2018-12-26 22:57 UTC (permalink / raw)
To: stable, linux-kernel
Cc: Hui Peng, Mathias Payer, Greg Kroah-Hartman, David S . Miller,
Sasha Levin, linux-usb, netdev
From: Hui Peng <benquike@gmail.com>
[ Upstream commit 5146f95df782b0ac61abde36567e718692725c89 ]
The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.
Add a length check for both locations and updated hso_probe to bail on
error.
This issue has been assigned CVE-2018-19985.
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/hso.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index babda7d8693e..f040bf558430 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2814,6 +2814,12 @@ static int hso_get_config_data(struct usb_interface *interface)
return -EIO;
}
+ /* check if we have a valid interface */
+ if (if_num > 16) {
+ kfree(config_data);
+ return -EINVAL;
+ }
+
switch (config_data[if_num]) {
case 0x0:
result = 0;
@@ -2884,10 +2890,18 @@ static int hso_probe(struct usb_interface *interface,
/* Get the interface/port specification from either driver_info or from
* the device itself */
- if (id->driver_info)
+ if (id->driver_info) {
+ /* if_num is controlled by the device, driver_info is a 0 terminated
+ * array. Make sure, the access is in bounds! */
+ for (i = 0; i <= if_num; ++i)
+ if (((u32 *)(id->driver_info))[i] == 0)
+ goto exit;
port_spec = ((u32 *)(id->driver_info))[if_num];
- else
+ } else {
port_spec = hso_get_config_data(interface);
+ if (port_spec < 0)
+ goto exit;
+ }
/* Check if we need to switch to alt interfaces prior to port
* configuration */
--
2.19.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH AUTOSEL 3.18 06/12] bnx2x: Clear fip MAC when fcoe offload support is disabled
[not found] <20181226225741.151608-1-sashal@kernel.org>
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 03/12] xfrm: Fix bucket count reported to userspace Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 05/12] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Sasha Levin
@ 2018-12-26 22:57 ` Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 07/12] w90p910_ether: remove incorrect __init annotation Sasha Levin
` (3 subsequent siblings)
6 siblings, 0 replies; 7+ messages in thread
From: Sasha Levin @ 2018-12-26 22:57 UTC (permalink / raw)
To: stable, linux-kernel
Cc: Sudarsana Reddy Kalluru, Sudarsana Reddy Kalluru, Ariel Elior,
David S . Miller, Sasha Levin, netdev
From: Sudarsana Reddy Kalluru <sudarsana.kalluru@cavium.com>
[ Upstream commit bbf666c1af916ed74795493c564df6fad462cc80 ]
On some customer setups it was observed that shmem contains a non-zero fip
MAC for 57711 which would lead to enabling of SW FCoE.
Add a software workaround to clear the bad fip mac address if no FCoE
connections are supported.
Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
index 8063e928827c..b121882c6d1b 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -11462,8 +11462,10 @@ static void bnx2x_get_fcoe_info(struct bnx2x *bp)
* If maximum allowed number of connections is zero -
* disable the feature.
*/
- if (!bp->cnic_eth_dev.max_fcoe_conn)
+ if (!bp->cnic_eth_dev.max_fcoe_conn) {
bp->flags |= NO_FCOE_FLAG;
+ eth_zero_addr(bp->fip_mac);
+ }
}
static void bnx2x_get_cnic_info(struct bnx2x *bp)
--
2.19.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH AUTOSEL 3.18 07/12] w90p910_ether: remove incorrect __init annotation
[not found] <20181226225741.151608-1-sashal@kernel.org>
` (2 preceding siblings ...)
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 06/12] bnx2x: Clear fip MAC when fcoe offload support is disabled Sasha Levin
@ 2018-12-26 22:57 ` Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 09/12] xen/netfront: tolerate frags with no data Sasha Levin
` (2 subsequent siblings)
6 siblings, 0 replies; 7+ messages in thread
From: Sasha Levin @ 2018-12-26 22:57 UTC (permalink / raw)
To: stable, linux-kernel; +Cc: Arnd Bergmann, David S . Miller, Sasha Levin, netdev
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 51367e423c6501a26e67d91a655d2bc892303462 ]
The get_mac_address() function is normally inline, but when it is
not, we get a warning that this configuration is broken:
WARNING: vmlinux.o(.text+0x4aff00): Section mismatch in reference from the function w90p910_ether_setup() to the function .init.text:get_mac_address()
The function w90p910_ether_setup() references
the function __init get_mac_address().
This is often because w90p910_ether_setup lacks a __init
Remove the __init to make it always do the right thing.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/nuvoton/w90p910_ether.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/nuvoton/w90p910_ether.c b/drivers/net/ethernet/nuvoton/w90p910_ether.c
index 379b7fbded78..f15c97343c9b 100644
--- a/drivers/net/ethernet/nuvoton/w90p910_ether.c
+++ b/drivers/net/ethernet/nuvoton/w90p910_ether.c
@@ -918,7 +918,7 @@ static const struct net_device_ops w90p910_ether_netdev_ops = {
.ndo_change_mtu = eth_change_mtu,
};
-static void __init get_mac_address(struct net_device *dev)
+static void get_mac_address(struct net_device *dev)
{
struct w90p910_ether *ether = netdev_priv(dev);
struct platform_device *pdev;
--
2.19.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH AUTOSEL 3.18 09/12] xen/netfront: tolerate frags with no data
[not found] <20181226225741.151608-1-sashal@kernel.org>
` (3 preceding siblings ...)
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 07/12] w90p910_ether: remove incorrect __init annotation Sasha Levin
@ 2018-12-26 22:57 ` Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 10/12] vxge: ensure data0 is initialized in when fetching firmware version information Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 11/12] net: netxen: fix a missing check and an uninitialized use Sasha Levin
6 siblings, 0 replies; 7+ messages in thread
From: Sasha Levin @ 2018-12-26 22:57 UTC (permalink / raw)
To: stable, linux-kernel; +Cc: Juergen Gross, David S . Miller, Sasha Levin, netdev
From: Juergen Gross <jgross@suse.com>
[ Upstream commit d81c5054a5d1d4999c7cdead7636b6cd4af83d36 ]
At least old Xen net backends seem to send frags with no real data
sometimes. In case such a fragment happens to occur with the frag limit
already reached the frontend will BUG currently even if this situation
is easily recoverable.
Modify the BUG_ON() condition accordingly.
Tested-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/xen-netfront.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 3bbfb09af65f..5d11e60d4995 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -913,7 +913,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
- BUG_ON(pull_to <= skb_headlen(skb));
+ BUG_ON(pull_to < skb_headlen(skb));
__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
}
BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS);
--
2.19.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH AUTOSEL 3.18 10/12] vxge: ensure data0 is initialized in when fetching firmware version information
[not found] <20181226225741.151608-1-sashal@kernel.org>
` (4 preceding siblings ...)
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 09/12] xen/netfront: tolerate frags with no data Sasha Levin
@ 2018-12-26 22:57 ` Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 11/12] net: netxen: fix a missing check and an uninitialized use Sasha Levin
6 siblings, 0 replies; 7+ messages in thread
From: Sasha Levin @ 2018-12-26 22:57 UTC (permalink / raw)
To: stable, linux-kernel
Cc: Colin Ian King, David S . Miller, Sasha Levin, netdev
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit f7db2beb4c2c6cc8111f5ab90fc7363ca91107b6 ]
Currently variable data0 is not being initialized so a garbage value is
being passed to vxge_hw_vpath_fw_api and this value is being written to
the rts_access_steer_data0 register. There are other occurrances where
data0 is being initialized to zero (e.g. in function
vxge_hw_upgrade_read_version) so I think it makes sense to ensure data0
is initialized likewise to 0.
Detected by CoverityScan, CID#140696 ("Uninitialized scalar variable")
Fixes: 8424e00dfd52 ("vxge: serialize access to steering control register")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/neterion/vxge/vxge-config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
index 2bbd01fcb9b0..4332ebbd7162 100644
--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
@@ -808,7 +808,7 @@ __vxge_hw_vpath_fw_ver_get(struct __vxge_hw_virtualpath *vpath,
struct vxge_hw_device_date *fw_date = &hw_info->fw_date;
struct vxge_hw_device_version *flash_version = &hw_info->flash_version;
struct vxge_hw_device_date *flash_date = &hw_info->flash_date;
- u64 data0, data1 = 0, steer_ctrl = 0;
+ u64 data0 = 0, data1 = 0, steer_ctrl = 0;
enum vxge_hw_status status;
status = vxge_hw_vpath_fw_api(vpath,
--
2.19.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH AUTOSEL 3.18 11/12] net: netxen: fix a missing check and an uninitialized use
[not found] <20181226225741.151608-1-sashal@kernel.org>
` (5 preceding siblings ...)
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 10/12] vxge: ensure data0 is initialized in when fetching firmware version information Sasha Levin
@ 2018-12-26 22:57 ` Sasha Levin
6 siblings, 0 replies; 7+ messages in thread
From: Sasha Levin @ 2018-12-26 22:57 UTC (permalink / raw)
To: stable, linux-kernel; +Cc: Kangjie Lu, David S . Miller, Sasha Levin, netdev
From: Kangjie Lu <kjlu@umn.edu>
[ Upstream commit d134e486e831defd26130770181f01dfc6195f7d ]
When netxen_rom_fast_read() fails, "bios" is left uninitialized and may
contain random value, thus should not be used.
The fix ensures that if netxen_rom_fast_read() fails, we return "-EIO".
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c
index 5c4068353f66..746612a88515 100644
--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c
+++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_init.c
@@ -1125,7 +1125,8 @@ netxen_validate_firmware(struct netxen_adapter *adapter)
return -EINVAL;
}
val = nx_get_bios_version(adapter);
- netxen_rom_fast_read(adapter, NX_BIOS_VERSION_OFFSET, (int *)&bios);
+ if (netxen_rom_fast_read(adapter, NX_BIOS_VERSION_OFFSET, (int *)&bios))
+ return -EIO;
if ((__force u32)val != bios) {
dev_err(&pdev->dev, "%s: firmware bios is incompatible\n",
fw_name[fw_type]);
--
2.19.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-12-26 23:22 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20181226225741.151608-1-sashal@kernel.org>
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 03/12] xfrm: Fix bucket count reported to userspace Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 05/12] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 06/12] bnx2x: Clear fip MAC when fcoe offload support is disabled Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 07/12] w90p910_ether: remove incorrect __init annotation Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 09/12] xen/netfront: tolerate frags with no data Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 10/12] vxge: ensure data0 is initialized in when fetching firmware version information Sasha Levin
2018-12-26 22:57 ` [PATCH AUTOSEL 3.18 11/12] net: netxen: fix a missing check and an uninitialized use Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).