Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
"A quick batch of bug fixes:

1) Fix build with IPV6 disabled, from Eric Dumazet.

2) Several more cases of caching SKB data pointers across calls to
pskb_may_pull(), thus referencing potentially free'd memory. From
Li RongQing.

3) DSA phy code tests operation presence improperly, instead of going:

if (x->ops->foo)
r = x->ops->foo(args);

it was going:

if (x->ops->foo(args))
r = x->ops->foo(args);

Fix from Andew Lunn"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
Net: DSA: Fix checking for get_phy_flags function
ipv6: fix a potential use after free in sit.c
ipv6: fix a potential use after free in ip6_offload.c
ipv4: fix a potential use after free in gre_offload.c
tcp: fix build error if IPv6 is not enabled

+10 -7
+2
include/net/tcp.h
··· 730 730 #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0])) 731 731 732 732 733 + #if IS_ENABLED(CONFIG_IPV6) 733 734 /* This is the variant of inet6_iif() that must be used by TCP, 734 735 * as TCP moves IP6CB into a different location in skb->cb[] 735 736 */ ··· 738 737 { 739 738 return TCP_SKB_CB(skb)->header.h6.iif; 740 739 } 740 + #endif 741 741 742 742 /* Due to TSO, an SKB can be composed of multiple actual 743 743 * packets. To keep these tracked properly, we use this.
+1 -1
net/dsa/slave.c
··· 599 599 netif_carrier_off(slave_dev); 600 600 601 601 if (p->phy != NULL) { 602 - if (ds->drv->get_phy_flags(ds, port)) 602 + if (ds->drv->get_phy_flags) 603 603 p->phy->dev_flags |= ds->drv->get_phy_flags(ds, port); 604 604 605 605 phy_attach(slave_dev, dev_name(&p->phy->dev),
+3 -3
net/ipv4/gre_offload.c
··· 55 55 if (csum) 56 56 skb->encap_hdr_csum = 1; 57 57 58 - if (unlikely(!pskb_may_pull(skb, ghl))) 59 - goto out; 60 - 61 58 /* setup inner skb. */ 62 59 skb->protocol = greh->protocol; 63 60 skb->encapsulation = 0; 61 + 62 + if (unlikely(!pskb_may_pull(skb, ghl))) 63 + goto out; 64 64 65 65 __skb_pull(skb, ghl); 66 66 skb_reset_mac_header(skb);
+1
net/ipv6/ip6_offload.c
··· 46 46 if (unlikely(!pskb_may_pull(skb, len))) 47 47 break; 48 48 49 + opth = (void *)skb->data; 49 50 proto = opth->nexthdr; 50 51 __skb_pull(skb, len); 51 52 }
+3 -3
net/ipv6/sit.c
··· 485 485 */ 486 486 static int ipip6_err_gen_icmpv6_unreach(struct sk_buff *skb) 487 487 { 488 - const struct iphdr *iph = (const struct iphdr *) skb->data; 488 + int ihl = ((const struct iphdr *)skb->data)->ihl*4; 489 489 struct rt6_info *rt; 490 490 struct sk_buff *skb2; 491 491 492 - if (!pskb_may_pull(skb, iph->ihl * 4 + sizeof(struct ipv6hdr) + 8)) 492 + if (!pskb_may_pull(skb, ihl + sizeof(struct ipv6hdr) + 8)) 493 493 return 1; 494 494 495 495 skb2 = skb_clone(skb, GFP_ATOMIC); ··· 498 498 return 1; 499 499 500 500 skb_dst_drop(skb2); 501 - skb_pull(skb2, iph->ihl * 4); 501 + skb_pull(skb2, ihl); 502 502 skb_reset_network_header(skb2); 503 503 504 504 rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0, 0);