Commit e25b4927 authored by Linus Torvalds's avatar Linus Torvalds

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
 "A quick batch of bug fixes:

  1) Fix build with IPV6 disabled, from Eric Dumazet.

  2) Several more cases of caching SKB data pointers across calls to
     pskb_may_pull(), thus referencing potentially free'd memory.  From
     Li RongQing.

  3) DSA phy code tests operation presence improperly, instead of going:

        if (x->ops->foo)
                r = x->ops->foo(args);

     it was going:

        if (x->ops->foo(args))
                r = x->ops->foo(args);

   Fix from Andew Lunn"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  Net: DSA: Fix checking for get_phy_flags function
  ipv6: fix a potential use after free in sit.c
  ipv6: fix a potential use after free in ip6_offload.c
  ipv4: fix a potential use after free in gre_offload.c
  tcp: fix build error if IPv6 is not enabled
parents 52d589a0 228b16cb
...@@ -730,6 +730,7 @@ struct tcp_skb_cb { ...@@ -730,6 +730,7 @@ struct tcp_skb_cb {
#define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0])) #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0]))
#if IS_ENABLED(CONFIG_IPV6)
/* This is the variant of inet6_iif() that must be used by TCP, /* This is the variant of inet6_iif() that must be used by TCP,
* as TCP moves IP6CB into a different location in skb->cb[] * as TCP moves IP6CB into a different location in skb->cb[]
*/ */
...@@ -737,6 +738,7 @@ static inline int tcp_v6_iif(const struct sk_buff *skb) ...@@ -737,6 +738,7 @@ static inline int tcp_v6_iif(const struct sk_buff *skb)
{ {
return TCP_SKB_CB(skb)->header.h6.iif; return TCP_SKB_CB(skb)->header.h6.iif;
} }
#endif
/* Due to TSO, an SKB can be composed of multiple actual /* Due to TSO, an SKB can be composed of multiple actual
* packets. To keep these tracked properly, we use this. * packets. To keep these tracked properly, we use this.
......
...@@ -599,7 +599,7 @@ dsa_slave_create(struct dsa_switch *ds, struct device *parent, ...@@ -599,7 +599,7 @@ dsa_slave_create(struct dsa_switch *ds, struct device *parent,
netif_carrier_off(slave_dev); netif_carrier_off(slave_dev);
if (p->phy != NULL) { if (p->phy != NULL) {
if (ds->drv->get_phy_flags(ds, port)) if (ds->drv->get_phy_flags)
p->phy->dev_flags |= ds->drv->get_phy_flags(ds, port); p->phy->dev_flags |= ds->drv->get_phy_flags(ds, port);
phy_attach(slave_dev, dev_name(&p->phy->dev), phy_attach(slave_dev, dev_name(&p->phy->dev),
......
...@@ -55,13 +55,13 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, ...@@ -55,13 +55,13 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
if (csum) if (csum)
skb->encap_hdr_csum = 1; skb->encap_hdr_csum = 1;
if (unlikely(!pskb_may_pull(skb, ghl)))
goto out;
/* setup inner skb. */ /* setup inner skb. */
skb->protocol = greh->protocol; skb->protocol = greh->protocol;
skb->encapsulation = 0; skb->encapsulation = 0;
if (unlikely(!pskb_may_pull(skb, ghl)))
goto out;
__skb_pull(skb, ghl); __skb_pull(skb, ghl);
skb_reset_mac_header(skb); skb_reset_mac_header(skb);
skb_set_network_header(skb, skb_inner_network_offset(skb)); skb_set_network_header(skb, skb_inner_network_offset(skb));
......
...@@ -46,6 +46,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto) ...@@ -46,6 +46,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto)
if (unlikely(!pskb_may_pull(skb, len))) if (unlikely(!pskb_may_pull(skb, len)))
break; break;
opth = (void *)skb->data;
proto = opth->nexthdr; proto = opth->nexthdr;
__skb_pull(skb, len); __skb_pull(skb, len);
} }
......
...@@ -485,11 +485,11 @@ static void ipip6_tunnel_uninit(struct net_device *dev) ...@@ -485,11 +485,11 @@ static void ipip6_tunnel_uninit(struct net_device *dev)
*/ */
static int ipip6_err_gen_icmpv6_unreach(struct sk_buff *skb) static int ipip6_err_gen_icmpv6_unreach(struct sk_buff *skb)
{ {
const struct iphdr *iph = (const struct iphdr *) skb->data; int ihl = ((const struct iphdr *)skb->data)->ihl*4;
struct rt6_info *rt; struct rt6_info *rt;
struct sk_buff *skb2; struct sk_buff *skb2;
if (!pskb_may_pull(skb, iph->ihl * 4 + sizeof(struct ipv6hdr) + 8)) if (!pskb_may_pull(skb, ihl + sizeof(struct ipv6hdr) + 8))
return 1; return 1;
skb2 = skb_clone(skb, GFP_ATOMIC); skb2 = skb_clone(skb, GFP_ATOMIC);
...@@ -498,7 +498,7 @@ static int ipip6_err_gen_icmpv6_unreach(struct sk_buff *skb) ...@@ -498,7 +498,7 @@ static int ipip6_err_gen_icmpv6_unreach(struct sk_buff *skb)
return 1; return 1;
skb_dst_drop(skb2); skb_dst_drop(skb2);
skb_pull(skb2, iph->ihl * 4); skb_pull(skb2, ihl);
skb_reset_network_header(skb2); skb_reset_network_header(skb2);
rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0, 0); rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0, 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment