--- /dev/null
+From 380ec5b9af7f0d57dbf6ac067fd9f33cff2fef71 Mon Sep 17 00:00:00 2001
+From: Pavel Belous <pbelous@marvell.com>
+Date: Fri, 14 Feb 2020 18:44:56 +0300
+Subject: net: atlantic: fix potential error handling
+
+From: Pavel Belous <pbelous@marvell.com>
+
+commit 380ec5b9af7f0d57dbf6ac067fd9f33cff2fef71 upstream.
+
+Code inspection found that in case of mapping error we do return current
+'ret' value. But beside error, it is used to count number of descriptors
+allocated for the packet. In that case map_skb function could return '1'.
+
+Changing it to return zero (number of mapped descriptors for skb)
+
+Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
+Signed-off-by: Pavel Belous <pbelous@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -519,8 +519,10 @@ static unsigned int aq_nic_map_skb(struc
+ dx_buff->len,
+ DMA_TO_DEVICE);
+
+- if (unlikely(dma_mapping_error(aq_nic_get_dev(self), dx_buff->pa)))
++ if (unlikely(dma_mapping_error(aq_nic_get_dev(self), dx_buff->pa))) {
++ ret = 0;
+ goto exit;
++ }
+
+ first = dx_buff;
+ dx_buff->len_pkt = skb->len;
--- /dev/null
+From 3a20773beeeeadec41477a5ba872175b778ff752 Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 20 Feb 2020 16:42:13 +0200
+Subject: net: netlink: cap max groups which will be considered in netlink_bind()
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+commit 3a20773beeeeadec41477a5ba872175b778ff752 upstream.
+
+Since nl_groups is a u32 we can't bind more groups via ->bind
+(netlink_bind) call, but netlink has supported more groups via
+setsockopt() for a long time and thus nlk->ngroups could be over 32.
+Recently I added support for per-vlan notifications and increased the
+groups to 33 for NETLINK_ROUTE which exposed an old bug in the
+netlink_bind() code causing out-of-bounds access on archs where unsigned
+long is 32 bits via test_bit() on a local variable. Fix this by capping the
+maximum groups in netlink_bind() to BITS_PER_TYPE(u32), effectively
+capping them at 32 which is the minimum of allocated groups and the
+maximum groups which can be bound via netlink_bind().
+
+CC: Christophe Leroy <christophe.leroy@c-s.fr>
+CC: Richard Guy Briggs <rgb@redhat.com>
+Fixes: 4f520900522f ("netlink: have netlink per-protocol bind function return an error code.")
+Reported-by: Erhard F. <erhard_f@mailbox.org>
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netlink/af_netlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -997,7 +997,8 @@ static int netlink_bind(struct socket *s
+ if (nlk->netlink_bind && groups) {
+ int group;
+
+- for (group = 0; group < nlk->ngroups; group++) {
++ /* nl_groups is a u32, so cap the maximum groups we can bind */
++ for (group = 0; group < BITS_PER_TYPE(u32); group++) {
+ if (!test_bit(group, &groups))
+ continue;
+ err = nlk->netlink_bind(net, group + 1);
+@@ -1016,7 +1017,7 @@ static int netlink_bind(struct socket *s
+ netlink_insert(sk, nladdr->nl_pid) :
+ netlink_autobind(sock);
+ if (err) {
+- netlink_undo_bind(nlk->ngroups, groups, sk);
++ netlink_undo_bind(BITS_PER_TYPE(u32), groups, sk);
+ goto unlock;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
