* [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lin Ma, Marcel Holtmann, Sasha Levin, linux-bluetooth, netdev
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 ]
The hci_sock_dev_event() function will cleanup the hdev object for
sockets even if this object may still be in used within the
hci_sock_bound_ioctl() function, result in UAF vulnerability.
This patch replace the BH context lock to serialize these affairs
and prevent the race condition.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 93093d7c3824..120064e9cb2b 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -750,7 +750,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
/* Detach sockets from device */
read_lock(&hci_sk_list.lock);
sk_for_each(sk, &hci_sk_list.head) {
- bh_lock_sock_nested(sk);
+ lock_sock(sk);
if (hci_pi(sk)->hdev == hdev) {
hci_pi(sk)->hdev = NULL;
sk->sk_err = EPIPE;
@@ -759,7 +759,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
hci_dev_put(hdev);
}
- bh_unlock_sock(sk);
+ release_sock(sk);
}
read_unlock(&hci_sk_list.lock);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe()
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jiapeng Chong, Abaci Robot, David S . Miller, Sasha Levin, netdev
From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
[ Upstream commit f336d0b93ae978f12c5e27199f828da89b91e56a ]
The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'status'.
Eliminate the follow smatch warning:
drivers/net/ethernet/myricom/myri10ge/myri10ge.c:3818 myri10ge_probe()
warn: missing error code 'status'.
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
index a0a555052d8c..1ac2bc75edb1 100644
--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
@@ -3853,6 +3853,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
dev_err(&pdev->dev,
"invalid sram_size %dB or board span %ldB\n",
mgp->sram_size, mgp->board_span);
+ status = -EINVAL;
goto abort_with_ioremap;
}
memcpy_fromio(mgp->eeprom_strings,
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Josh Triplett, David S . Miller, Sasha Levin, netdev
From: Josh Triplett <josh@joshtriplett.org>
[ Upstream commit b508d5fb69c2211a1b860fc058aafbefc3b3c3cd ]
If the user specifies a hostname or domain name as part of the ip=
command-line option, preserve it and don't overwrite it with one
supplied by DHCP/BOOTP.
For instance, ip=::::myhostname::dhcp will use "myhostname" rather than
ignoring and overwriting it.
Fix the comment on ic_bootp_string that suggests it only copies a string
"if not already set"; it doesn't have any such logic.
Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ipconfig.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index f0782c91514c..41e384834d50 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -881,7 +881,7 @@ static void __init ic_bootp_send_if(struct ic_device *d, unsigned long jiffies_d
/*
- * Copy BOOTP-supplied string if not already set.
+ * Copy BOOTP-supplied string
*/
static int __init ic_bootp_string(char *dest, char *src, int len, int max)
{
@@ -930,12 +930,15 @@ static void __init ic_do_bootp_ext(u8 *ext)
}
break;
case 12: /* Host name */
- ic_bootp_string(utsname()->nodename, ext+1, *ext,
- __NEW_UTS_LEN);
- ic_host_name_set = 1;
+ if (!ic_host_name_set) {
+ ic_bootp_string(utsname()->nodename, ext+1, *ext,
+ __NEW_UTS_LEN);
+ ic_host_name_set = 1;
+ }
break;
case 15: /* Domain name (DNS) */
- ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain));
+ if (!ic_domain[0])
+ ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain));
break;
case 17: /* Root path */
if (!root_server_path[0])
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify()
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (2 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code Sasha Levin
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jiapeng Chong, Abaci Robot, David S . Miller, Sasha Levin, netdev
From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
[ Upstream commit a8db57c1d285c758adc7fb43d6e2bad2554106e1 ]
The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'err'.
Eliminate the follow smatch warning:
net/core/rtnetlink.c:4834 rtnl_bridge_notify() warn: missing error code
'err'.
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 0168c700a201..fa3ed51f846b 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3648,8 +3648,10 @@ static int rtnl_bridge_notify(struct net_device *dev)
if (err < 0)
goto errout;
- if (!skb->len)
+ if (!skb->len) {
+ err = -EINVAL;
goto errout;
+ }
rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC);
return 0;
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (3 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 17/18] net: " Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 18/18] fib: " Sasha Levin
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zheng Yongjun, David S . Miller, Sasha Levin, linux-x25, netdev
From: Zheng Yongjun <zhengyongjun3@huawei.com>
[ Upstream commit d7736958668c4facc15f421e622ffd718f5be80a ]
When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/x25/af_x25.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 987e5f8cafbe..fd0a6c6c77b6 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -550,7 +550,7 @@ static int x25_create(struct net *net, struct socket *sock, int protocol,
if (protocol)
goto out;
- rc = -ENOBUFS;
+ rc = -ENOMEM;
if ((sk = x25_alloc_socket(net, kern)) == NULL)
goto out;
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 4.14 17/18] net: Return the correct errno code
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (4 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 18/18] fib: " Sasha Levin
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Zheng Yongjun, David S . Miller, Sasha Levin, netdev
From: Zheng Yongjun <zhengyongjun3@huawei.com>
[ Upstream commit 49251cd00228a3c983651f6bb2f33f6a0b8f152e ]
When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/compat.c b/net/compat.c
index 45349658ed01..2ec822f4e409 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -158,7 +158,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
if (kcmlen > stackbuf_size)
kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL);
if (kcmsg == NULL)
- return -ENOBUFS;
+ return -ENOMEM;
/* Now copy them over neatly. */
memset(kcmsg, 0, kcmlen);
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 4.14 18/18] fib: Return the correct errno code
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (5 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 17/18] net: " Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Zheng Yongjun, David S . Miller, Sasha Levin, netdev
From: Zheng Yongjun <zhengyongjun3@huawei.com>
[ Upstream commit 59607863c54e9eb3f69afc5257dfe71c38bb751e ]
When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/fib_rules.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 9bb321df0869..76c3f602ee15 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -928,7 +928,7 @@ static void notify_rule_change(int event, struct fib_rule *rule,
{
struct net *net;
struct sk_buff *skb;
- int err = -ENOBUFS;
+ int err = -ENOMEM;
net = ops->fro_net;
skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL);
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread