Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.132 2024-03-26T22:19:41+00:00 2024-03-26T22:19:41+00:00 Gavrilov Ilia Ilia.Gavrilov@infotecs.ru 2024-03-07T14:23:50+00:00 urn:sha1:138cca05a83aaaa497940f483809c9f10f9ebe32 [ Upstream commit d6eb8de2015f0c24822e47356f839167ebde2945 ] The 'len' variable can't be negative when assigned the result of 'min_t' because all 'min_t' parameters are cast to unsigned int, and then the minimum one is chosen. To fix the logic, check 'len' as read from 'optlen', where the types of relevant variables are (signed) int. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-06-24T22:50:13+00:00 David Howells dhowells@redhat.com 2023-06-23T22:55:12+00:00 urn:sha1:dc97391e661009eab46783030d2404c9b6e6f2e7 Remove ->sendpage() and ->sendpage_locked(). sendmsg() with MSG_SPLICE_PAGES should be used instead. This allows multiple pages and multipage folios to be passed through. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> # for net/can cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> cc: linux-afs@lists.infradead.org cc: mptcp@lists.linux.dev cc: rds-devel@oss.oracle.com cc: tipc-discussion@lists.sourceforge.net cc: virtualization@lists.linux-foundation.org Link: https://lore.kernel.org/r/20230623225513.2732256-16-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-01-25T09:51:04+00:00 Hyunwoo Kim v4bel@theori.io 2023-01-23T19:43:23+00:00 urn:sha1:f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 When listen() and accept() are called on an x25 socket that connect() succeeds, accept() succeeds immediately. This is because x25_connect() queues the skb to sk->sk_receive_queue, and x25_accept() dequeues it. This creates a child socket with the sk of the parent x25 socket, which can cause confusion. Fix x25_listen() to return -EINVAL if the socket has already been successfully connect()ed to avoid this issue. Signed-off-by: Hyunwoo Kim <v4bel@theori.io> Signed-off-by: David S. Miller <davem@davemloft.net> 2022-11-16T04:22:19+00:00 Wei Yongjun weiyongjun1@huawei.com 2022-11-14T11:05:19+00:00 urn:sha1:2929cceb2fcf0ded7182562e4888afafece82cce x25_lapb_receive_frame() using skb_copy() to get a private copy of skb, the new skb should be freed in the undersized/fragmented skb error handling path. Otherwise there is a memory leak. Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs") Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Acked-by: Martin Schiller <ms@dev.tdt.de> Link: https://lore.kernel.org/r/20221114110519.514538-1-weiyongjun@huaweicloud.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-08-09T03:48:51+00:00 Martin Schiller ms@dev.tdt.de 2022-08-05T06:18:10+00:00 urn:sha1:944e594cfa84ec552831489c244e02589d826b11 When a userspace application starts a blocking connect(), a CALL REQUEST is sent, the t21 timer is started and the connect is waiting in x25_wait_for_connection_establishment(). If then for some reason the t21 timer expires before any reaction on the assigned logical channel (e.g. CALL ACCEPT, CLEAR REQUEST), there is sent a CLEAR REQUEST and timer t23 is started waiting for a CLEAR confirmation. If we now receive a CLEAR CONFIRMATION from the peer, x25_disconnect() is called in x25_state2_machine() with reason "0", which means "normal" call clearing. This is ok, but the parameter "reason" is used as sk->sk_err in x25_disconnect() and sock_error(sk) is evaluated in x25_wait_for_connection_establishment() to check if the call is still pending. As "0" is not rated as an error, the connect will stuck here forever. To fix this situation, also check if the sk->sk_state changed form TCP_SYN_SENT to TCP_CLOSE in the meantime, which is also done by x25_disconnect(). Signed-off-by: Martin Schiller <ms@dev.tdt.de> Link: https://lore.kernel.org/r/20220805061810.10824-1-ms@dev.tdt.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-05-10T09:59:22+00:00 Colin Ian King colin.i.king@gmail.com 2022-05-08T21:45:00+00:00 urn:sha1:ecd17a87eb78b5bd5ca6d1aa20c39f2bc3591337 Pointer dev is being assigned a value that is never used, the assignment and the variable are redundant and can be removed. Also replace null check with the preferred !ptr idiom. Cleans up clang scan warning: net/x25/x25_proc.c:94:26: warning: Although the value stored to 'dev' is used in the enclosing expression, the value is never actually read from 'dev' [deadcode.DeadStores] Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Link: https://lore.kernel.org/r/20220508214500.60446-1-colin.i.king@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2022-04-06T12:45:26+00:00 Oliver Hartkopp socketcan@hartkopp.net 2022-04-04T16:30:22+00:00 urn:sha1:f4b41f062c424209e3939a81e6da022e049a45f2 skb_recv_datagram() has two parameters 'flags' and 'noblock' that are merged inside skb_recv_datagram() by 'flags | (noblock ? MSG_DONTWAIT : 0)' As 'flags' may contain MSG_DONTWAIT as value most callers split the 'flags' into 'flags' and 'noblock' with finally obsolete bit operations like this: skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, flags & MSG_DONTWAIT, &rc); And this is not even done consistently with the 'flags' parameter. This patch removes the obsolete and costly splitting into two parameters and only performs bit operations when really needed on the caller side. One missing conversion thankfully reported by kernel test robot. I missed to enable kunit tests to build the mctp code. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2022-03-26T18:48:16+00:00 Duoming Zhou duoming@zju.edu.cn 2022-03-26T10:43:46+00:00 urn:sha1:7781607938c8371d4c2b243527430241c62e39c2 When the link layer is terminating, x25->neighbour will be set to NULL in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is shown below. (Thread 1) | (Thread 2) x25_link_terminated() | x25_recvmsg() x25_kill_by_neigh() | ... x25_disconnect() | lock_sock(sk) ... | ... x25->neighbour = NULL //(1) | ... | x25->neighbour->extended //(2) The code sets NULL to x25->neighbour in position (1) and dereferences x25->neighbour in position (2), which could cause null-ptr-deref bug. This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the sock held by lock_sock() is not NULL, because it is extracted from x25_list and uses x25_list_lock to synchronize. Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Reviewed-by: Lin Ma <linma@zju.edu.cn> Signed-off-by: David S. Miller <davem@davemloft.net> 2021-12-10T02:35:11+00:00 Jean Sacren sakiwit@gmail.com 2021-12-08T07:20:25+00:00 urn:sha1:9745177c948984d61f7853f922d501cc440aae47 'more' is checked first. When !more is checked immediately after that, it is always true. We should drop this check. Signed-off-by: Jean Sacren <sakiwit@gmail.com> Acked-by: Martin Schiller <ms@dev.tdt.de> Link: https://lore.kernel.org/r/20211208024732.142541-5-sakiwit@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2021-06-10T21:08:09+00:00 Wang Hai wanghai38@huawei.com 2021-06-10T12:48:26+00:00 urn:sha1:bc831facf8a11e4e615dc67ae790325710bc1979 Convert list_for_each() to list_for_each_entry() where applicable. This simplifies the code. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai38@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>