diff options
| author | Greg Kroah-Hartman <gregkh@google.com> | 2021-08-08 08:48:03 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@google.com> | 2021-08-08 08:48:03 +0200 |
| commit | cfdd4f44ffc1eab4461c268e9d29a35e01895d0f (patch) | |
| tree | 0abe7707b8f759347f35ac4ceccac1721a5040e8 /net | |
| parent | 449846c3e01f672fdb33412056058564d2cfaf21 (diff) | |
| parent | aff9d4e6115abc1732aef71bea36cf3beb9b2c53 (diff) | |
Merge 4.4.279 into android-4.4-p
Changes in 4.4.279
btrfs: mark compressed range uptodate only if all bio succeed
regulator: rt5033: Fix n_voltages settings for BUCK and LDO
r8152: Fix potential PM refcount imbalance
net: Fix zero-copy head len calculation.
Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"
can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
Linux 4.4.279
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie3e6cadbc9c8291c2be61e0a3427225458891c18
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/hci_core.c | 16 | ||||
| -rw-r--r-- | net/can/raw.c | 20 | ||||
| -rw-r--r-- | net/core/skbuff.c | 5 |
3 files changed, 30 insertions, 11 deletions
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index c478924198d5..041e719543fe 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -1666,6 +1666,14 @@ int hci_dev_do_close(struct hci_dev *hdev) BT_DBG("%s %p", hdev->name, hdev); + if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && + !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && + test_bit(HCI_UP, &hdev->flags)) { + /* Execute vendor specific shutdown routine */ + if (hdev->shutdown) + hdev->shutdown(hdev); + } + cancel_delayed_work(&hdev->power_off); hci_req_cancel(hdev, ENODEV); @@ -1738,14 +1746,6 @@ int hci_dev_do_close(struct hci_dev *hdev) clear_bit(HCI_INIT, &hdev->flags); } - if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && - !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && - test_bit(HCI_UP, &hdev->flags)) { - /* Execute vendor specific shutdown routine */ - if (hdev->shutdown) - hdev->shutdown(hdev); - } - /* flush cmd work */ flush_work(&hdev->cmd_work); diff --git a/net/can/raw.c b/net/can/raw.c index 2e1d850a7f2a..1c2bf97ca168 100644 --- a/net/can/raw.c +++ b/net/can/raw.c @@ -541,10 +541,18 @@ static int raw_setsockopt(struct socket *sock, int level, int optname, return -EFAULT; } + rtnl_lock(); lock_sock(sk); - if (ro->bound && ro->ifindex) + if (ro->bound && ro->ifindex) { dev = dev_get_by_index(&init_net, ro->ifindex); + if (!dev) { + if (count > 1) + kfree(filter); + err = -ENODEV; + goto out_fil; + } + } if (ro->bound) { /* (try to) register the new filters */ @@ -581,6 +589,7 @@ static int raw_setsockopt(struct socket *sock, int level, int optname, dev_put(dev); release_sock(sk); + rtnl_unlock(); break; @@ -593,10 +602,16 @@ static int raw_setsockopt(struct socket *sock, int level, int optname, err_mask &= CAN_ERR_MASK; + rtnl_lock(); lock_sock(sk); - if (ro->bound && ro->ifindex) + if (ro->bound && ro->ifindex) { dev = dev_get_by_index(&init_net, ro->ifindex); + if (!dev) { + err = -ENODEV; + goto out_err; + } + } /* remove current error mask */ if (ro->bound) { @@ -618,6 +633,7 @@ static int raw_setsockopt(struct socket *sock, int level, int optname, dev_put(dev); release_sock(sk); + rtnl_unlock(); break; diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 7665154c85c2..58989a5ba362 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2243,8 +2243,11 @@ skb_zerocopy_headlen(const struct sk_buff *from) if (!from->head_frag || skb_headlen(from) < L1_CACHE_BYTES || - skb_shinfo(from)->nr_frags >= MAX_SKB_FRAGS) + skb_shinfo(from)->nr_frags >= MAX_SKB_FRAGS) { hlen = skb_headlen(from); + if (!hlen) + hlen = from->len; + } if (skb_has_frag_list(from)) hlen = from->len; |