--- /dev/null
+From 197c949e7798fbf28cfadc69d9ca0c2abbf93191 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 30 Dec 2015 08:51:12 -0500
+Subject: udp: properly support MSG_PEEK with truncated buffers
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream.
+
+Backport of this upstream commit into stable kernels :
+89c22d8c3b27 ("net: Fix skb csum races when peeking")
+exposed a bug in udp stack vs MSG_PEEK support, when user provides
+a buffer smaller than skb payload.
+
+In this case,
+skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
+ msg->msg_iov);
+returns -EFAULT.
+
+This bug does not happen in upstream kernels since Al Viro did a great
+job to replace this into :
+skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
+This variant is safe vs short buffers.
+
+For the time being, instead reverting Herbert Xu patch and add back
+skb->ip_summed invalid changes, simply store the result of
+udp_lib_checksum_complete() so that we avoid computing the checksum a
+second time, and avoid the problematic
+skb_copy_and_csum_datagram_iovec() call.
+
+This patch can be applied on recent kernels as it avoids a double
+checksumming, then backported to stable kernels as a bug fix.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[ luis: backported to 3.16: adjusted context ]
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Charles (Chas) Williams <ciwillia@brocade.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 6 ++++--
+ net/ipv6/udp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1233,6 +1233,7 @@ int udp_recvmsg(struct kiocb *iocb, stru
+ int peeked, off = 0;
+ int err;
+ int is_udplite = IS_UDPLITE(sk);
++ bool checksum_valid = false;
+ bool slow;
+
+ if (flags & MSG_ERRQUEUE)
+@@ -1258,11 +1259,12 @@ try_again:
+ */
+
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+- if (udp_lib_checksum_complete(skb))
++ checksum_valid = !udp_lib_checksum_complete(skb);
++ if (!checksum_valid)
+ goto csum_copy_err;
+ }
+
+- if (skb_csum_unnecessary(skb))
++ if (checksum_valid || skb_csum_unnecessary(skb))
+ err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
+ msg->msg_iov, copied);
+ else {
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -389,6 +389,7 @@ int udpv6_recvmsg(struct kiocb *iocb, st
+ int peeked, off = 0;
+ int err;
+ int is_udplite = IS_UDPLITE(sk);
++ bool checksum_valid = false;
+ int is_udp4;
+ bool slow;
+
+@@ -420,11 +421,12 @@ try_again:
+ */
+
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+- if (udp_lib_checksum_complete(skb))
++ checksum_valid = !udp_lib_checksum_complete(skb);
++ if (!checksum_valid)
+ goto csum_copy_err;
+ }
+
+- if (skb_csum_unnecessary(skb))
++ if (checksum_valid || skb_csum_unnecessary(skb))
+ err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
+ msg->msg_iov, copied);
+ else {
--- /dev/null
+From 681fef8380eb818c0b845fca5d2ab1dcbab114ee Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit 681fef8380eb818c0b845fca5d2ab1dcbab114ee upstream.
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Charles (Chas) Williams <ciwillia@brocade.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1104,10 +1104,11 @@ static int proc_getdriver(struct dev_sta
+
+ static int proc_connectinfo(struct dev_state *ps, void __user *arg)
+ {
+- struct usbdevfs_connectinfo ci = {
+- .devnum = ps->dev->devnum,
+- .slow = ps->dev->speed == USB_SPEED_LOW
+- };
++ struct usbdevfs_connectinfo ci;
++
++ memset(&ci, 0, sizeof(ci));
++ ci.devnum = ps->dev->devnum;
++ ci.slow = ps->dev->speed == USB_SPEED_LOW;
+
+ if (copy_to_user(arg, &ci, sizeof(ci)))
+ return -EFAULT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
