--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:53:05 AM CEST
+From: Xie He <xie.he.0141@gmail.com>
+Date: Wed, 5 Aug 2020 18:50:40 -0700
+Subject: drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 ]
+
+1. Added a skb->len check
+
+This driver expects upper layers to include a pseudo header of 1 byte
+when passing down a skb for transmission. This driver will read this
+1-byte header. This patch added a skb->len check before reading the
+header to make sure the header exists.
+
+2. Changed to use needed_headroom instead of hard_header_len to request
+necessary headroom to be allocated
+
+In net/packet/af_packet.c, the function packet_snd first reserves a
+headroom of length (dev->hard_header_len + dev->needed_headroom).
+Then if the socket is a SOCK_DGRAM socket, it calls dev_hard_header,
+which calls dev->header_ops->create, to create the link layer header.
+If the socket is a SOCK_RAW socket, it "un-reserves" a headroom of
+length (dev->hard_header_len), and assumes the user to provide the
+appropriate link layer header.
+
+So according to the logic of af_packet.c, dev->hard_header_len should
+be the length of the header that would be created by
+dev->header_ops->create.
+
+However, this driver doesn't provide dev->header_ops, so logically
+dev->hard_header_len should be 0.
+
+So we should use dev->needed_headroom instead of dev->hard_header_len
+to request necessary headroom to be allocated.
+
+This change fixes kernel panic when this driver is used with AF_PACKET
+SOCK_RAW sockets.
+
+Call stack when panic:
+
+[ 168.399197] skbuff: skb_under_panic: text:ffffffff819d95fb len:20
+put:14 head:ffff8882704c0a00 data:ffff8882704c09fd tail:0x11 end:0xc0
+dev:veth0
+...
+[ 168.399255] Call Trace:
+[ 168.399259] skb_push.cold+0x14/0x24
+[ 168.399262] eth_header+0x2b/0xc0
+[ 168.399267] lapbeth_data_transmit+0x9a/0xb0 [lapbether]
+[ 168.399275] lapb_data_transmit+0x22/0x2c [lapb]
+[ 168.399277] lapb_transmit_buffer+0x71/0xb0 [lapb]
+[ 168.399279] lapb_kick+0xe3/0x1c0 [lapb]
+[ 168.399281] lapb_data_request+0x76/0xc0 [lapb]
+[ 168.399283] lapbeth_xmit+0x56/0x90 [lapbether]
+[ 168.399286] dev_hard_start_xmit+0x91/0x1f0
+[ 168.399289] ? irq_init_percpu_irqstack+0xc0/0x100
+[ 168.399291] __dev_queue_xmit+0x721/0x8e0
+[ 168.399295] ? packet_parse_headers.isra.0+0xd2/0x110
+[ 168.399297] dev_queue_xmit+0x10/0x20
+[ 168.399298] packet_sendmsg+0xbf0/0x19b0
+......
+
+Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/lapbether.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -160,6 +160,12 @@ static netdev_tx_t lapbeth_xmit(struct s
+ if (!netif_running(dev))
+ goto drop;
+
++ /* There should be a pseudo header of 1 byte added by upper layers.
++ * Check to make sure it is there before reading it.
++ */
++ if (skb->len < 1)
++ goto drop;
++
+ switch (skb->data[0]) {
+ case X25_IFACE_DATA:
+ break;
+@@ -308,6 +314,7 @@ static void lapbeth_setup(struct net_dev
+ dev->netdev_ops = &lapbeth_netdev_ops;
+ dev->destructor = free_netdev;
+ dev->type = ARPHRD_X25;
++ dev->hard_header_len = 0;
+ dev->mtu = 1000;
+ dev->addr_len = 0;
+ }
+@@ -334,7 +341,8 @@ static int lapbeth_new_device(struct net
+ * then this driver prepends a length field of 2 bytes,
+ * then the underlying Ethernet device prepends its own header.
+ */
+- ndev->hard_header_len = -1 + 3 + 2 + dev->hard_header_len;
++ ndev->needed_headroom = -1 + 3 + 2 + dev->hard_header_len
++ + dev->needed_headroom;
+
+ lapbeth = netdev_priv(ndev);
+ lapbeth->axdev = ndev;
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:53:05 AM CEST
+From: Qingyu Li <ieatmuttonchuan@gmail.com>
+Date: Mon, 10 Aug 2020 09:51:00 +0800
+Subject: net/nfc/rawsock.c: add CAP_NET_RAW check.
+
+From: Qingyu Li <ieatmuttonchuan@gmail.com>
+
+[ Upstream commit 26896f01467a28651f7a536143fe5ac8449d4041 ]
+
+When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.
+
+Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/rawsock.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -344,10 +344,13 @@ static int rawsock_create(struct net *ne
+ if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW))
+ return -ESOCKTNOSUPPORT;
+
+- if (sock->type == SOCK_RAW)
++ if (sock->type == SOCK_RAW) {
++ if (!capable(CAP_NET_RAW))
++ return -EPERM;
+ sock->ops = &rawsock_raw_ops;
+- else
++ } else {
+ sock->ops = &rawsock_ops;
++ }
+
+ sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern);
+ if (!sk)
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:53:05 AM CEST
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Thu, 6 Aug 2020 19:53:16 +0800
+Subject: net: Set fput_needed iff FDPUT_FPUT is set
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 ]
+
+We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed
+accordingly.
+
+Fixes: 00e188ef6a7e ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -456,7 +456,7 @@ static struct socket *sockfd_lookup_ligh
+ if (f.file) {
+ sock = sock_from_file(f.file, err);
+ if (likely(sock)) {
+- *fput_needed = f.flags;
++ *fput_needed = f.flags & FDPUT_FPUT;
+ return sock;
+ }
+ fdput(f);
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/pinctrl/pinctrl-single.c | 11 +++++++----
+ drivers/pinctrl/pinctrl-single.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
-diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
-index 73d8d47ea465a..17714793c08e4 100644
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
-@@ -1071,7 +1071,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
+@@ -1071,7 +1071,7 @@ static int pcs_parse_pinconf(struct pcs_
/* If pinconf isn't supported, don't parse properties in below. */
if (!PCS_HAS_PINCONF)
/* cacluate how much properties are supported in current node */
for (i = 0; i < ARRAY_SIZE(prop2); i++) {
-@@ -1083,7 +1083,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np,
+@@ -1083,7 +1083,7 @@ static int pcs_parse_pinconf(struct pcs_
nconfs++;
}
if (!nconfs)
func->conf = devm_kzalloc(pcs->dev,
sizeof(struct pcs_conf_vals) * nconfs,
-@@ -1196,9 +1196,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs,
+@@ -1196,9 +1196,12 @@ static int pcs_parse_one_pinctrl_entry(s
if (PCS_HAS_PINCONF) {
res = pcs_parse_pinconf(pcs, np, function, map);
} else {
*num_maps = 1;
}
---
-2.25.1
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
