linux_dsm_epyc7002/net
Pavel Skripkin 72714560fb net/qrtr: fix __netdev_alloc_skb call
commit 093b036aa94e01a0bea31a38d7f0ee28a2749023 upstream.

syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= MAX_ORDER.
It was caused by a huge length value passed from userspace to qrtr_tun_write_iter(),
which tries to allocate skb. Since the value comes from the untrusted source
there is no need to raise a warning in __alloc_pages_nodemask().

[1] WARNING in __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5014
Call Trace:
 __alloc_pages include/linux/gfp.h:511 [inline]
 __alloc_pages_node include/linux/gfp.h:524 [inline]
 alloc_pages_node include/linux/gfp.h:538 [inline]
 kmalloc_large_node+0x60/0x110 mm/slub.c:3999
 __kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496
 __kmalloc_reserve net/core/skbuff.c:150 [inline]
 __alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210
 __netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446
 netdev_alloc_skb include/linux/skbuff.h:2832 [inline]
 qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442
 qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x791/0xa30 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Acked-by: Alexander Lobakin <alobakin@pm.me>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-03-25 09:04:09 +01:00
..
6lowpan
9p net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid 2020-10-12 10:05:47 +02:00
802
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 14:16:55 +01:00
appletalk
atm net: atm: fix update of position index in lec_seq_next 2020-10-31 12:26:30 -07:00
ax25
batman-adv batman-adv: Don't always reallocate the fragmentation skb head 2020-11-27 08:02:55 +01:00
bluetooth Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data 2021-03-07 12:34:10 +01:00
bpf bpf: Reject too big ctx_size_in for raw_tp test run 2021-01-27 11:55:07 +01:00
bpfilter Revert "bpfilter: Fix build error with CONFIG_BPFILTER_UMH" 2020-10-15 12:33:24 -07:00
bridge net: bridge: use switchdev for port flags set through sysfs too 2021-03-07 12:34:07 +01:00
caif
can can: isotp: isotp_getname(): fix kernel information leak 2021-01-17 14:17:05 +01:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-10-12 15:29:27 +02:00
core pktgen: fix misuse of BUG_ON() in pktgen_thread_worker() 2021-03-07 12:34:09 +01:00
dcb net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands 2021-01-23 16:04:01 +01:00
dccp tcp: fix race condition when creating child sockets from syncookies 2020-11-23 16:32:33 -08:00
decnet
dns_resolver
dsa net: dsa: tag_mtk: fix 802.1ad VLAN egress 2021-03-17 17:06:22 +01:00
ethernet
ethtool ethtool: fix the check logic of at least one channel for RX/TX 2021-03-17 17:06:16 +01:00
hsr net: hsr: add support for EntryForgetTime 2021-03-07 12:34:07 +01:00
ieee802154 genetlink: move to smaller ops wherever possible 2020-10-02 19:11:11 -07:00
ife
ipv4 cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-17 17:06:15 +01:00
ipv6 cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-17 17:06:15 +01:00
iucv net/af_iucv: remove WARN_ONCE on malformed RX packets 2021-03-07 12:34:05 +01:00
kcm
key af_key: relax availability checks for skb size calculation 2021-02-13 13:55:02 +01:00
l2tp net: l2tp: reduce log level of messages in receive path, add counter instead 2021-03-17 17:06:11 +01:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:29:14 +01:00
llc
mac80211 mac80211: fix potential overflow when multiplying to u32 integers 2021-03-04 11:37:32 +01:00
mac802154
mpls net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 2021-03-17 17:06:11 +01:00
mptcp mptcp: do not wakeup listener for MPJ subflows 2021-03-07 12:34:06 +01:00
ncsi net/ncsi: Use real net-device for response handler 2021-01-12 20:18:10 +01:00
netfilter netfilter: x_tables: gpf inside xt_find_revision() 2021-03-17 17:06:12 +01:00
netlabel cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-17 17:06:15 +01:00
netlink netlink: export policy in extended ACK 2020-10-09 20:22:32 -07:00
netrom
nfc tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
nsh
openvswitch net: openvswitch: fix TTL decrement exception action execution 2021-02-23 15:53:23 +01:00
packet net: fix proc_fs init handling in af_packet and tls 2021-02-23 15:53:23 +01:00
phonet
psample net: psample: Fix netlink skb length with tunnel info 2021-03-07 12:34:07 +01:00
qrtr net/qrtr: fix __netdev_alloc_skb call 2021-03-25 09:04:09 +01:00
rds RDMA: Lift ibdev_to_node from rds to common code 2021-02-26 10:12:59 +01:00
rfkill rfkill: Fix use-after-free in rfkill_resume() 2020-11-12 09:18:06 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-11-20 10:04:58 -08:00
rxrpc rxrpc: Fix clearance of Tx/Rx ring when releasing a call 2021-02-17 11:02:28 +01:00
sched net: sched: avoid duplicates in classes dump 2021-03-17 17:06:14 +01:00
sctp net: fix iteration for sctp transport seq_files 2021-02-17 11:02:29 +01:00
smc net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid() 2020-11-19 10:59:19 -08:00
strparser
sunrpc sunrpc: fix refcount leak for rpc auth modules 2021-03-25 09:04:08 +01:00
switchdev net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP 2021-02-07 15:37:12 +01:00
tipc tipc: fix NULL deref in tipc_link_xmit() 2021-01-23 16:04:00 +01:00
tls net: fix proc_fs init handling in af_packet and tls 2021-02-23 15:53:23 +01:00
unix networking changes for the 5.10 merge window 2020-10-15 18:42:13 -07:00
vmw_vsock vsock: fix locking in vsock_shutdown() 2021-02-17 11:02:30 +01:00
wimax genetlink: move to smaller ops wherever possible 2020-10-02 19:11:11 -07:00
wireless wext: fix NULL-ptr-dereference with cfg80211's lack of commit() 2021-02-03 23:28:38 +01:00
x25 net/x25: prevent a couple of overflows 2020-12-02 17:26:36 -08:00
xdp xsk: Clear pool even for inactive queues 2021-01-27 11:55:10 +01:00
xfrm xfrm: Fix wraparound in xfrm_policy_addr_delta() 2021-02-03 23:28:45 +01:00
compat.c iov_iter: transparently handle compat iovecs in import_iovec 2020-10-03 00:02:13 -04:00
devres.c
Kconfig drop_monitor: Convert to using devlink tracepoint 2020-09-30 18:01:26 -07:00
Makefile
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-05 18:40:01 -07:00
sysctl_net.c