AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-01-13 23:46:11 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
de1887c064
linux_dsm_epyc7002/drivers/net
History
Luca Coelho de1887c064 iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() 
We don't check for the validity of the lengths in the packet received
from the firmware.  If the MPDU length received in the rx descriptor
is too short to contain the header length and the crypt length
together, we may end up trying to copy a negative number of bytes
(headlen - hdrlen < 0) which will underflow and cause us to try to
copy a huge amount of data.  This causes oopses such as this one:

BUG: unable to handle kernel paging request at ffff896be2970000
PGD 5e201067 P4D 5e201067 PUD 5e205067 PMD 16110d063 PTE 8000000162970161
Oops: 0003 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 1824 Comm: irq/134-iwlwifi Not tainted 4.19.33-04308-geea41cf4930f #1
Hardware name: [...]
RIP: 0010:memcpy_erms+0x6/0x10
Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3
 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
RSP: 0018:ffffa4630196fc60 EFLAGS: 00010287
RAX: ffff896be2924618 RBX: ffff896bc8ecc600 RCX: 00000000fffb4610
RDX: 00000000fffffff8 RSI: ffff896a835e2a38 RDI: ffff896be2970000
RBP: ffffa4630196fd30 R08: ffff896bc8ecc600 R09: ffff896a83597000
R10: ffff896bd6998400 R11: 000000000200407f R12: ffff896a83597050
R13: 00000000fffffff8 R14: 0000000000000010 R15: ffff896a83597038
FS:  0000000000000000(0000) GS:ffff896be8280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff896be2970000 CR3: 000000005dc12002 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 iwl_mvm_rx_mpdu_mq+0xb51/0x121b [iwlmvm]
 iwl_pcie_rx_handle+0x58c/0xa89 [iwlwifi]
 iwl_pcie_irq_rx_msix_handler+0xd9/0x12a [iwlwifi]
 irq_thread_fn+0x24/0x49
 irq_thread+0xb0/0x122
 kthread+0x138/0x140
 ret_from_fork+0x1f/0x40

Fix that by checking the lengths for correctness and trigger a warning
to show that we have received wrong data.

Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-04-28 09:59:59 +03:00
..
appletalk
arcnet
bonding bonding: fix event handling for stacked bonds 2019-04-15 13:22:09 -07:00
caif
can peak_usb: fix clang build warning 2019-03-07 09:39:46 -08:00
dsa net: dsa: mv88e6xxx: fix few issues in mv88e6390x_port_set_cmode 2019-03-27 21:53:50 -07:00
ethernet bnx2x: fix spelling mistake "dicline" -> "decline" 2019-04-15 17:23:09 -07:00
fddi
fjes
hamradio
hippi
hyperv hv_netvsc: Fix unwanted wakeup after tx_disable 2019-03-29 13:34:01 -07:00
ieee802154 ieee802154: hwsim: propagate genlmsg_reply return code 2019-03-13 10:13:26 +01:00
ipvlan Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-02-24 12:06:19 -08:00
netdevsim
phy net: phy: bcm54xx: Encode link speed and activity into LEDs 2019-03-26 11:24:47 -07:00
plip
ppp pptp: dst_release sk_dst_cache in pptp_sock_destruct 2019-03-13 14:22:49 -07:00
slip
team team: set slave to promisc if team is already in promisc mode 2019-04-10 19:17:59 -07:00
usb qmi_wwan: add Olicard 600 2019-03-28 16:58:06 -07:00
vmxnet3
wan net: wan: z85230: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles 2019-02-25 14:36:15 -08:00
wimax
wireless iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() 2019-04-28 09:59:59 +03:00
xen-netback Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-03-02 12:54:35 -08:00
dummy.c
eql.c
geneve.c geneve: correctly handle ipv6.disable module parameter 2019-03-01 22:07:56 -08:00
gtp.c
ifb.c
Kconfig gtp: change NET_UDP_TUNNEL dependency to select 2019-03-18 16:54:42 -07:00
LICENSE.SRC
loopback.c
macsec.c
macvlan.c macvlan: add ndo_change_proto_down support 2019-02-24 13:01:04 -08:00
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c net: Don't set transport offset to invalid value 2019-02-22 12:55:31 -08:00
thunderbolt.c
tun.c tun: add a missing rcu_read_unlock() in error path 2019-03-16 13:16:37 -07:00
veth.c veth: Fix -Wformat-truncation 2019-02-23 13:44:58 -08:00
virtio_net.c
vrf.c net: vrf: Fix ping failed when vrf mtu is set to 0 2019-04-07 22:44:02 -07:00
vsockmon.c
vxlan.c vxlan: Don't call gro_cells_destroy() before device is unregistered 2019-03-18 17:07:27 -07:00
xen-netfront.c