stuartl/linux-stable
1
0
Fork 0
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-09-13 11:07:46 +10:00
Code Issues Releases Wiki Activity
v6.1.151
linux-stable/net
History
Jakob Unterwurzacher cf3c78ecdf net: dsa: microchip: linearize skb for tail-tagging switches 
[ Upstream commit ba54bce747 ]

The pointer arithmentic for accessing the tail tag only works
for linear skbs.

For nonlinear skbs, it reads uninitialized memory inside the
skb headroom, essentially randomizing the tag. I have observed
it gets set to 6 most of the time.

Example where ksz9477_rcv thinks that the packet from port 1 comes from port 6
(which does not exist for the ksz9896 that's in use), dropping the packet.
Debug prints added by me (not included in this patch):

	[  256.645337] ksz9477_rcv:323 tag0=6
	[  256.645349] skb len=47 headroom=78 headlen=0 tailroom=0
	               mac=(64,14) mac_len=14 net=(78,0) trans=78
	               shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
	               csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0)
	               hash(0x0 sw=0 l4=0) proto=0x00f8 pkttype=1 iif=3
	               priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0
	               encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
	[  256.645377] dev name=end1 feat=0x0002e10200114bb3
	[  256.645386] skb headroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[  256.645395] skb headroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[  256.645403] skb headroom: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[  256.645411] skb headroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[  256.645420] skb headroom: 00000040: ff ff ff ff ff ff 00 1c 19 f2 e2 db 08 06
	[  256.645428] skb frag:     00000000: 00 01 08 00 06 04 00 01 00 1c 19 f2 e2 db 0a 02
	[  256.645436] skb frag:     00000010: 00 83 00 00 00 00 00 00 0a 02 a0 2f 00 00 00 00
	[  256.645444] skb frag:     00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
	[  256.645452] ksz_common_rcv:92 dsa_conduit_find_user returned NULL

Call skb_linearize before trying to access the tag.

This patch fixes ksz9477_rcv which is used by the ksz9896 I have at
hand, and also applies the same fix to ksz8795_rcv which seems to have
the same problem.

Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher@cherry.de>
CC: stable@vger.kernel.org
Fixes: 016e43a26b ("net: dsa: ksz: Add KSZ8795 tag code")
Fixes: 8b8010fb78 ("dsa: add support for Microchip KSZ tail tagging")
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://patch.msgid.link/20250515072920.2313014-1-jakob.unterwurzacher@cherry.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-09-09 18:54:20 +02:00
..
6lowpan
9p 9p/net: fix improper handling of bogus negative read/write replies 2025-05-02 07:47:04 +02:00
802
8021q net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime 2025-07-24 08:51:53 +02:00
appletalk net: appletalk: Fix use-after-free in AARP proxy probe 2025-08-15 12:04:47 +02:00
atm net: atm: fix memory leak in atm_register_sysfs when device_register fail 2025-09-09 18:54:16 +02:00
ax25 ax25: properly unshare skbs in ax25_kiss_rcv() 2025-09-09 18:54:16 +02:00
batman-adv batman-adv: fix OOB read/write in network-coding decode 2025-09-09 18:54:18 +02:00
bluetooth Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() 2025-09-09 18:54:13 +02:00
bpf
bpfilter
bridge netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm 2025-09-09 18:54:13 +02:00
caif caif: reduce stack size, again 2025-08-15 12:04:56 +02:00
can can: bcm: add missing rcu read protection for procfs content 2025-06-04 14:40:20 +02:00
ceph
core net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM 2025-08-28 16:26:17 +02:00
dcb
dccp
devlink
dns_resolver
dsa net: dsa: microchip: linearize skb for tail-tagging switches 2025-09-09 18:54:20 +02:00
ethernet
ethtool net: ethtool: Don't call .cleanup_data when prepare_data fails 2025-04-25 10:43:25 +02:00
hsr net, hsr: reject HSR frame if skb can't hold tag 2025-08-28 16:26:09 +02:00
ieee802154
ife
ipv4 ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() 2025-09-09 18:54:15 +02:00
ipv6 icmp: fix icmp_ndo_send address translation for reply direction 2025-09-09 18:54:14 +02:00
iucv
kcm
key
l2tp
l3mdev
lapb
llc llc: fix data loss when reading from a socket in llc_ui_recvmsg() 2025-06-04 14:40:21 +02:00
mac80211 wifi: mac80211: check basic rates validity in sta_link_apply_parameters 2025-08-28 16:26:16 +02:00
mac802154
mctp mctp: return -ENOPROTOOPT for unknown getsockopt options 2025-09-09 18:54:15 +02:00
mpls mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). 2025-06-27 11:07:39 +01:00
mptcp mptcp: disable add_addr retransmission when timeout is 0 2025-08-28 16:26:16 +02:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-08-28 16:25:58 +02:00
netfilter netfilter: conntrack: helper: Replace -EEXIST by -EBUSY 2025-09-09 18:54:13 +02:00
netlabel calipso: unlock rcu before returning -EAFNOSUPPORT 2025-06-27 11:07:25 +01:00
netlink netlink: avoid infinite retry looping in netlink_unicast() 2025-08-28 16:25:48 +02:00
netrom
nfc NFC: nci: uart: Set tty->disc_data only in success path 2025-06-27 11:07:29 +01:00
nsh
openvswitch net: openvswitch: Fix the dead loop of MPLS parse 2025-06-27 11:07:12 +01:00
packet net/packet: fix a race in packet_set_ring() and packet_notifier() 2025-08-15 12:05:11 +02:00
phonet phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() 2025-07-24 08:51:48 +02:00
psample
qrtr
rds
rfkill
rose net: rose: fix a typo in rose_clear_routes() 2025-09-04 15:26:30 +02:00
rxrpc rxrpc: Fix oops due to non-existence of prealloc backlog struct 2025-07-17 18:32:06 +02:00
sched net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate 2025-08-28 16:26:18 +02:00
sctp sctp: initialize more fields in sctp_v6_from_sk() 2025-09-04 15:26:29 +02:00
smc net/smc: Remove validation of reserved bits in CLC Decline message 2025-09-09 18:54:15 +02:00
strparser
sunrpc SUNRPC: rpcbind should never reset the port to the value '0' 2025-06-04 14:40:03 +02:00
switchdev
tipc tipc: Fix use-after-free in tipc_conn_close(). 2025-07-17 18:32:05 +02:00
tls tls: fix handling of zero-length records on the rx_list 2025-08-28 16:26:16 +02:00
unix af_unix: Don't set -ECONNRESET for consumed OOB skb. 2025-07-06 10:58:00 +02:00
vmw_vsock vsock/virtio: Validate length in packet header before skb_put() 2025-08-28 16:26:07 +02:00
wireless wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() 2025-09-09 18:54:15 +02:00
x25
xdp
xfrm xfrm: interface: fix use-after-free after changing collect_md xfrm interface 2025-08-15 12:04:46 +02:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile af_unix: Remove CONFIG_UNIX_SCM. 2025-06-04 14:40:23 +02:00
socket.c
sysctl_net.c