1. 25 Jul, 2020 5 commits
    • Xie He's avatar
      drivers/net/wan: lapb: Corrected the usage of skb_cow · 8754e137
      Xie He authored
      
      
      This patch fixed 2 issues with the usage of skb_cow in LAPB drivers
      "lapbether" and "hdlc_x25":
      
      1) After skb_cow fails, kfree_skb should be called to drop a reference
      to the skb. But in both drivers, kfree_skb is not called.
      
      2) skb_cow should be called before skb_push so that is can ensure the
      safety of skb_push. But in "lapbether", it is incorrectly called after
      skb_push.
      
      More details about these 2 issues:
      
      1) The behavior of calling kfree_skb on failure is also the behavior of
      netif_rx, which is called by this function with "return netif_rx(skb);".
      So this function should follow this behavior, too.
      
      2) In "lapbether", skb_cow is called after skb_push. This results in 2
      logical issues:
         a) skb_push is not protected by skb_cow;
         b) An extra headroom of 1 byte is ensured after skb_push. This extra
            headroom has no use in this function. It also has no use in the
            upper-layer function that this function passes the skb to
            (x25_lapb_receive_frame in net/x25/x25_dev.c).
      So logically skb_cow should instead be called before skb_push.
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Martin Schiller <ms@dev.tdt.de>
      Signed-off-by: default avatarXie He <xie.he.0141@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8754e137
    • Subash Abhinov Kasiviswanathan's avatar
      dev: Defer free of skbs in flush_backlog · 7df5cb75
      Subash Abhinov Kasiviswanathan authored
      IRQs are disabled when freeing skbs in input queue.
      Use the IRQ safe variant to free skbs here.
      
      Fixes: 145dd5f9
      
       ("net: flush the softnet backlog in process context")
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7df5cb75
    • Cong Wang's avatar
      qrtr: orphan socket in qrtr_release() · af9f691f
      Cong Wang authored
      We have to detach sock from socket in qrtr_release(),
      otherwise skb->sk may still reference to this socket
      when the skb is released in tun->queue, particularly
      sk->sk_wq still points to &sock->wq, which leads to
      a UAF.
      
      Reported-and-tested-by: syzbot+6720d64f31c081c2f708@syzkaller.appspotmail.com
      Fixes: 28fb4e59
      
       ("net: qrtr: Expose tunneling endpoint to user space")
      Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af9f691f
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-2020-07-24' of... · 657237f5
      David S. Miller authored
      Merge tag 'wireless-drivers-2020-07-24' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for v5.8
      
      Second set of fixes for v5.8, and hopefully also the last. Three
      important regressions fixed.
      
      ath9k
      
      * fix a regression which broke support for all ath9k usb devices
      
      ath10k
      
      * fix a regression which broke support for all QCA4019 AHB devices
      
      iwlwifi
      
      * fix a regression which broke support for some Killer Wireless-AC 1550 cards
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      657237f5
    • Andrea Righi's avatar
      xen-netfront: fix potential deadlock in xennet_remove() · c2c63310
      Andrea Righi authored
      
      
      There's a potential race in xennet_remove(); this is what the driver is
      doing upon unregistering a network device:
      
        1. state = read bus state
        2. if state is not "Closed":
        3.    request to set state to "Closing"
        4.    wait for state to be set to "Closing"
        5.    request to set state to "Closed"
        6.    wait for state to be set to "Closed"
      
      If the state changes to "Closed" immediately after step 1 we are stuck
      forever in step 4, because the state will never go back from "Closed" to
      "Closing".
      
      Make sure to check also for state == "Closed" in step 4 to prevent the
      deadlock.
      
      Also add a 5 sec timeout any time we wait for the bus state to change,
      to avoid getting stuck forever in wait_event().
      Signed-off-by: default avatarAndrea Righi <andrea.righi@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2c63310
  2. 24 Jul, 2020 2 commits
  3. 23 Jul, 2020 12 commits
  4. 22 Jul, 2020 3 commits
  5. 21 Jul, 2020 18 commits