From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com,
Phillip Potter <phil@philpotter.co.uk>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 30/47] net: tun: set tun->dev->addr_len during TUNSETLINK processing
Date: Thu, 15 Apr 2021 16:47:22 +0200 [thread overview]
Message-ID: <20210415144414.429033580@linuxfoundation.org> (raw)
In-Reply-To: <20210415144413.487943796@linuxfoundation.org>
From: Phillip Potter <phil@philpotter.co.uk>
commit cca8ea3b05c972ffb5295367e6c544369b45fbdd upstream.
When changing type with TUNSETLINK ioctl command, set tun->dev->addr_len
to match the appropriate type, using new tun_get_addr_len utility function
which returns appropriate address length for given type. Fixes a
KMSAN-found uninit-value bug reported by syzbot at:
https://syzkaller.appspot.com/bug?id=0766d38c656abeace60621896d705743aeefed51
Reported-by: syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com
Diagnosed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/tun.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -72,6 +72,14 @@
#include <linux/seq_file.h>
#include <linux/uio.h>
#include <linux/skb_array.h>
+#include <linux/ieee802154.h>
+#include <linux/if_ltalk.h>
+#include <uapi/linux/if_fddi.h>
+#include <uapi/linux/if_hippi.h>
+#include <uapi/linux/if_fc.h>
+#include <net/ax25.h>
+#include <net/rose.h>
+#include <net/6lowpan.h>
#include <asm/uaccess.h>
@@ -2021,6 +2029,45 @@ unlock:
return ret;
}
+/* Return correct value for tun->dev->addr_len based on tun->dev->type. */
+static unsigned char tun_get_addr_len(unsigned short type)
+{
+ switch (type) {
+ case ARPHRD_IP6GRE:
+ case ARPHRD_TUNNEL6:
+ return sizeof(struct in6_addr);
+ case ARPHRD_IPGRE:
+ case ARPHRD_TUNNEL:
+ case ARPHRD_SIT:
+ return 4;
+ case ARPHRD_ETHER:
+ return ETH_ALEN;
+ case ARPHRD_IEEE802154:
+ case ARPHRD_IEEE802154_MONITOR:
+ return IEEE802154_EXTENDED_ADDR_LEN;
+ case ARPHRD_PHONET_PIPE:
+ case ARPHRD_PPP:
+ case ARPHRD_NONE:
+ return 0;
+ case ARPHRD_6LOWPAN:
+ return EUI64_ADDR_LEN;
+ case ARPHRD_FDDI:
+ return FDDI_K_ALEN;
+ case ARPHRD_HIPPI:
+ return HIPPI_ALEN;
+ case ARPHRD_IEEE802:
+ return FC_ALEN;
+ case ARPHRD_ROSE:
+ return ROSE_ADDR_LEN;
+ case ARPHRD_NETROM:
+ return AX25_ADDR_LEN;
+ case ARPHRD_LOCALTLK:
+ return LTALK_ALEN;
+ default:
+ return 0;
+ }
+}
+
static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
unsigned long arg, int ifreq_len)
{
@@ -2159,6 +2206,7 @@ static long __tun_chr_ioctl(struct file
ret = -EBUSY;
} else {
tun->dev->type = (int) arg;
+ tun->dev->addr_len = tun_get_addr_len(tun->dev->type);
tun_debug(KERN_INFO, tun, "linktype set to %d\n",
tun->dev->type);
ret = 0;
next prev parent reply other threads:[~2021-04-15 14:54 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 14:46 [PATCH 4.9 00/47] 4.9.267-rc1 review Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 01/47] ARM: 8723/2: always assume the "unified" syntax for assembly code Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 02/47] iio: hid-sensor-prox: Fix scale not correct issue Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 03/47] ALSA: aloop: Fix initialization of controls Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 04/47] ASoC: intel: atom: Stop advertising non working S24LE support Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 05/47] nfc: fix refcount leak in llcp_sock_bind() Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 06/47] nfc: fix refcount leak in llcp_sock_connect() Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.9 07/47] nfc: fix memory " Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 08/47] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 09/47] xen/evtchn: Change irq_info lock to raw_spinlock_t Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 10/47] net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 11/47] ia64: fix user_stack_pointer() for ptrace() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 12/47] ocfs2: fix deadlock between setattr and dio_end_io_write Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 13/47] fs: direct-io: fix missing sdio->boundary Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 14/47] parisc: parisc-agp requires SBA IOMMU driver Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 15/47] parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 16/47] batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 17/47] net: sched: sch_teql: fix null-pointer dereference Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 18/47] sch_red: fix off-by-one checks in red_check_params() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 19/47] gianfar: Handle error code at MAC address change Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 20/47] net:tipc: Fix a double free in tipc_sk_mcast_rcv Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 21/47] soc/fsl: qbman: fix conflicting alignment attributes Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 22/47] clk: fix invalid usage of list cursor in unregister Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 23/47] workqueue: Move the position of debug_work_activate() in __queue_work() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 24/47] s390/cpcmd: fix inline assembly register clobbering Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 25/47] RDMA/cxgb4: check for ipv6 address properly while destroying listener Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 26/47] clk: socfpga: fix iomem pointer cast on 64-bit Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 27/47] mm: add cond_resched() in gather_pte_stats() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 28/47] usbip: fix vudc usbip_sockfd_store races leading to gpf Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 29/47] cfg80211: remove WARN_ON() in cfg80211_sme_connect Greg Kroah-Hartman
2021-04-15 14:47 ` Greg Kroah-Hartman [this message]
2021-04-15 14:47 ` [PATCH 4.9 31/47] drivers: net: fix memory leak in atusb_probe Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 32/47] drivers: net: fix memory leak in peak_usb_create_dev Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 33/47] net: mac802154: Fix general protection fault Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 34/47] net: ieee802154: nl-mac: fix check on panid Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 35/47] net: ieee802154: fix nl802154 del llsec key Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 36/47] net: ieee802154: fix nl802154 del llsec dev Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 37/47] net: ieee802154: fix nl802154 add llsec key Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 38/47] net: ieee802154: fix nl802154 del llsec devkey Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 39/47] net: ieee802154: forbid monitor for set llsec params Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 40/47] net: ieee802154: forbid monitor for del llsec seclevel Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 41/47] net: ieee802154: stop dump llsec params for monitors Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 42/47] Revert "cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath." Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 43/47] drm/imx: imx-ldb: fix out of bounds array access warning Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 44/47] gfs2: report "already frozen/thawed" errors Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 45/47] netfilter: x_tables: fix compat match/target pad out-of-bound write Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 46/47] perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.9 47/47] xen/events: fix setting irq affinity Greg Kroah-Hartman
2021-04-15 22:44 ` [PATCH 4.9 00/47] 4.9.267-rc1 review Shuah Khan
2021-04-16 0:59 ` Florian Fainelli
2021-04-16 9:21 ` Jon Hunter
2021-04-16 11:50 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210415144414.429033580@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=phil@philpotter.co.uk \
--cc=stable@vger.kernel.org \
--cc=syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).