diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-01 17:18:16 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-01 17:18:16 +0200 |
commit | 82fa1b423da8131b8e1630bfc5d7696bf68c0e11 (patch) | |
tree | 00c5d591bdfc465b4a9211451562c1d5c5848df0 | |
parent | 2117eb2ecff564c9faced47f533efa6fab8d3bc0 (diff) | |
download | queue-3.18-82fa1b423da8131b8e1630bfc5d7696bf68c0e11.tar.gz |
more 3.18 patches
-rw-r--r-- | appletalk-enforce-cap_net_raw-for-raw-sockets.patch | 34 | ||||
-rw-r--r-- | ax25-enforce-cap_net_raw-for-raw-sockets.patch | 31 | ||||
-rw-r--r-- | cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch | 41 | ||||
-rw-r--r-- | ieee802154-enforce-cap_net_raw-for-raw-sockets.patch | 33 | ||||
-rw-r--r-- | misdn-enforce-cap_net_raw-for-raw-sockets.patch | 31 | ||||
-rw-r--r-- | net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch | 45 | ||||
-rw-r--r-- | nfc-enforce-cap_net_raw-for-raw-sockets.patch | 38 | ||||
-rw-r--r-- | openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch | 40 | ||||
-rw-r--r-- | sch_netem-fix-a-divide-by-zero-in-tabledist.patch | 36 | ||||
-rw-r--r-- | series | 12 | ||||
-rw-r--r-- | skge-fix-checksum-byte-order.patch | 32 | ||||
-rw-r--r-- | usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch | 39 | ||||
-rw-r--r-- | usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch | 41 |
13 files changed, 453 insertions, 0 deletions
diff --git a/appletalk-enforce-cap_net_raw-for-raw-sockets.patch b/appletalk-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 0000000..a7f2453 --- /dev/null +++ b/appletalk-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:46 +0200 +Subject: appletalk: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron <orinimron123@gmail.com> + +[ Upstream commit 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac ] + +When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/appletalk/ddp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1029,6 +1029,11 @@ static int atalk_create(struct net *net, + */ + if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) + goto out; ++ ++ rc = -EPERM; ++ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) ++ goto out; ++ + rc = -ENOMEM; + sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto); + if (!sk) diff --git a/ax25-enforce-cap_net_raw-for-raw-sockets.patch b/ax25-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 0000000..a378292 --- /dev/null +++ b/ax25-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,31 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:47 +0200 +Subject: ax25: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron <orinimron123@gmail.com> + +[ Upstream commit 0614e2b73768b502fc32a75349823356d98aae2c ] + +When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/ax25/af_ax25.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -860,6 +860,8 @@ static int ax25_create(struct net *net, + break; + + case SOCK_RAW: ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + break; + default: + return -ESOCKTNOSUPPORT; diff --git a/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch b/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch new file mode 100644 index 0000000..d5a0e71 --- /dev/null +++ b/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: "Bjørn Mork" <bjorn@mork.no> +Date: Wed, 18 Sep 2019 14:01:46 +0200 +Subject: cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize + +From: "Bjørn Mork" <bjorn@mork.no> + +[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ] + +Endpoints with zero wMaxPacketSize are not usable for transferring +data. Ignore such endpoints when looking for valid in, out and +status pipes, to make the driver more robust against invalid and +meaningless descriptors. + +The wMaxPacketSize of the out pipe is used as divisor. So this change +fixes a divide-by-zero bug. + +Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com +Signed-off-by: Bjørn Mork <bjorn@mork.no> +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/usb/cdc_ncm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -635,8 +635,12 @@ cdc_ncm_find_endpoints(struct usbnet *de + u8 ep; + + for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) { +- + e = intf->cur_altsetting->endpoint + ep; ++ ++ /* ignore endpoints which cannot transfer data */ ++ if (!usb_endpoint_maxp(&e->desc)) ++ continue; ++ + switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) { + case USB_ENDPOINT_XFER_INT: + if (usb_endpoint_dir_in(&e->desc)) { diff --git a/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch b/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 0000000..ad01297 --- /dev/null +++ b/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:48 +0200 +Subject: ieee802154: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron <orinimron123@gmail.com> + +[ Upstream commit e69dbd4619e7674c1679cba49afd9dd9ac347eef ] + +When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be +checked first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Stefan Schmidt <stefan@datenfreihafen.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/ieee802154/af_ieee802154.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ieee802154/af_ieee802154.c ++++ b/net/ieee802154/af_ieee802154.c +@@ -252,6 +252,9 @@ static int ieee802154_create(struct net + + switch (sock->type) { + case SOCK_RAW: ++ rc = -EPERM; ++ if (!capable(CAP_NET_RAW)) ++ goto out; + proto = &ieee802154_raw_prot; + ops = &ieee802154_raw_ops; + break; diff --git a/misdn-enforce-cap_net_raw-for-raw-sockets.patch b/misdn-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 0000000..12fa857 --- /dev/null +++ b/misdn-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,31 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:45 +0200 +Subject: mISDN: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron <orinimron123@gmail.com> + +[ Upstream commit b91ee4aa2a2199ba4d4650706c272985a5a32d80 ] + +When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/isdn/mISDN/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -763,6 +763,8 @@ base_sock_create(struct net *net, struct + + if (sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + + sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto); + if (!sk) diff --git a/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch b/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch new file mode 100644 index 0000000..07991de --- /dev/null +++ b/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Peter Mamonov <pmamonov@gmail.com> +Date: Wed, 18 Sep 2019 19:27:55 +0300 +Subject: net/phy: fix DP83865 10 Mbps HDX loopback disable function + +From: Peter Mamonov <pmamonov@gmail.com> + +[ Upstream commit e47488b2df7f9cb405789c7f5d4c27909fc597ae ] + +According to the DP83865 datasheet "the 10 Mbps HDX loopback can be +disabled in the expanded memory register 0x1C0.1". The driver erroneously +used bit 0 instead of bit 1. + +Fixes: 4621bf129856 ("phy: Add file missed in previous commit.") +Signed-off-by: Peter Mamonov <pmamonov@gmail.com> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/phy/national.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/phy/national.c ++++ b/drivers/net/phy/national.c +@@ -110,14 +110,17 @@ static void ns_giga_speed_fallback(struc + + static void ns_10_base_t_hdx_loopack(struct phy_device *phydev, int disable) + { ++ u16 lb_dis = BIT(1); ++ + if (disable) +- ns_exp_write(phydev, 0x1c0, ns_exp_read(phydev, 0x1c0) | 1); ++ ns_exp_write(phydev, 0x1c0, ++ ns_exp_read(phydev, 0x1c0) | lb_dis); + else + ns_exp_write(phydev, 0x1c0, +- ns_exp_read(phydev, 0x1c0) & 0xfffe); ++ ns_exp_read(phydev, 0x1c0) & ~lb_dis); + + pr_debug("10BASE-T HDX loopback %s\n", +- (ns_exp_read(phydev, 0x1c0) & 0x0001) ? "off" : "on"); ++ (ns_exp_read(phydev, 0x1c0) & lb_dis) ? "off" : "on"); + } + + static int ns_config_init(struct phy_device *phydev) diff --git a/nfc-enforce-cap_net_raw-for-raw-sockets.patch b/nfc-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 0000000..589f5db --- /dev/null +++ b/nfc-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:49 +0200 +Subject: nfc: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron <orinimron123@gmail.com> + +[ Upstream commit 3a359798b176183ef09efb7a3dc59abad1cc7104 ] + +When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/nfc/llcp_sock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -1005,10 +1005,13 @@ static int llcp_sock_create(struct net * + sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; + +- if (sock->type == SOCK_RAW) ++ if (sock->type == SOCK_RAW) { ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + sock->ops = &llcp_rawsock_ops; +- else ++ } else { + sock->ops = &llcp_sock_ops; ++ } + + sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC); + if (sk == NULL) diff --git a/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch b/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch new file mode 100644 index 0000000..6cb7bd2 --- /dev/null +++ b/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Li RongQing <lirongqing@baidu.com> +Date: Tue, 24 Sep 2019 19:11:52 +0800 +Subject: openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC + +From: Li RongQing <lirongqing@baidu.com> + +[ Upstream commit ea8564c865299815095bebeb4b25bef474218e4c ] + +userspace openvswitch patch "(dpif-linux: Implement the API +functions to allow multiple handler threads read upcall)" +changes its type from U32 to UNSPEC, but leave the kernel +unchanged + +and after kernel 6e237d099fac "(netlink: Relax attr validation +for fixed length types)", this bug is exposed by the below +warning + + [ 57.215841] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length. + +Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's") +Signed-off-by: Li RongQing <lirongqing@baidu.com> +Acked-by: Pravin B Shelar <pshelar@ovn.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/openvswitch/datapath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -1974,7 +1974,7 @@ static const struct nla_policy vport_pol + [OVS_VPORT_ATTR_STATS] = { .len = sizeof(struct ovs_vport_stats) }, + [OVS_VPORT_ATTR_PORT_NO] = { .type = NLA_U32 }, + [OVS_VPORT_ATTR_TYPE] = { .type = NLA_U32 }, +- [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_U32 }, ++ [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_UNSPEC }, + [OVS_VPORT_ATTR_OPTIONS] = { .type = NLA_NESTED }, + }; + diff --git a/sch_netem-fix-a-divide-by-zero-in-tabledist.patch b/sch_netem-fix-a-divide-by-zero-in-tabledist.patch new file mode 100644 index 0000000..518077f --- /dev/null +++ b/sch_netem-fix-a-divide-by-zero-in-tabledist.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 18 Sep 2019 08:05:39 -0700 +Subject: sch_netem: fix a divide by zero in tabledist() + +From: Eric Dumazet <edumazet@google.com> + +[ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ] + +syzbot managed to crash the kernel in tabledist() loading +an empty distribution table. + + t = dist->table[rnd % dist->size]; + +Simply return an error when such load is attempted. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/sched/sch_netem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -725,7 +725,7 @@ static int get_dist_table(struct Qdisc * + int i; + size_t s; + +- if (n > NETEM_DIST_MAX) ++ if (!n || n > NETEM_DIST_MAX) + return -EINVAL; + + s = sizeof(struct disttable) + n * sizeof(s16); @@ -3,3 +3,15 @@ hid-lg-make-transfer-buffers-dma-capable.patch hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch +cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch +net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch +openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch +sch_netem-fix-a-divide-by-zero-in-tabledist.patch +skge-fix-checksum-byte-order.patch +usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch +usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch +misdn-enforce-cap_net_raw-for-raw-sockets.patch +appletalk-enforce-cap_net_raw-for-raw-sockets.patch +ax25-enforce-cap_net_raw-for-raw-sockets.patch +nfc-enforce-cap_net_raw-for-raw-sockets.patch +ieee802154-enforce-cap_net_raw-for-raw-sockets.patch diff --git a/skge-fix-checksum-byte-order.patch b/skge-fix-checksum-byte-order.patch new file mode 100644 index 0000000..d8c2800 --- /dev/null +++ b/skge-fix-checksum-byte-order.patch @@ -0,0 +1,32 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Stephen Hemminger <stephen@networkplumber.org> +Date: Fri, 20 Sep 2019 18:18:26 +0200 +Subject: skge: fix checksum byte order + +From: Stephen Hemminger <stephen@networkplumber.org> + +[ Upstream commit 5aafeb74b5bb65b34cc87c7623f9fa163a34fa3b ] + +Running old skge driver on PowerPC causes checksum errors +because hardware reported 1's complement checksum is in little-endian +byte order. + +Reported-by: Benoit <benoit.sansoni@gmail.com> +Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/ethernet/marvell/skge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -3114,7 +3114,7 @@ static struct sk_buff *skge_rx_get(struc + skb_put(skb, len); + + if (dev->features & NETIF_F_RXCSUM) { +- skb->csum = csum; ++ skb->csum = le16_to_cpu(csum); + skb->ip_summed = CHECKSUM_COMPLETE; + } + diff --git a/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch b/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch new file mode 100644 index 0000000..e979ac1 --- /dev/null +++ b/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch @@ -0,0 +1,39 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: "Bjørn Mork" <bjorn@mork.no> +Date: Wed, 18 Sep 2019 14:17:38 +0200 +Subject: usbnet: ignore endpoints with invalid wMaxPacketSize + +From: "Bjørn Mork" <bjorn@mork.no> + +[ Upstream commit 8d3d7c2029c1b360f1a6b0a2fca470b57eb575c0 ] + +Endpoints with zero wMaxPacketSize are not usable for transferring +data. Ignore such endpoints when looking for valid in, out and +status pipes, to make the drivers more robust against invalid and +meaningless descriptors. + +The wMaxPacketSize of these endpoints are used for memory allocations +and as divisors in many usbnet minidrivers. Avoiding zero is therefore +critical. + +Signed-off-by: Bjørn Mork <bjorn@mork.no> +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/usb/usbnet.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -114,6 +114,11 @@ int usbnet_get_endpoints(struct usbnet * + int intr = 0; + + e = alt->endpoint + ep; ++ ++ /* ignore endpoints which cannot transfer data */ ++ if (!usb_endpoint_maxp(&e->desc)) ++ continue; ++ + switch (e->desc.bmAttributes) { + case USB_ENDPOINT_XFER_INT: + if (!usb_endpoint_dir_in(&e->desc)) diff --git a/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch b/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch new file mode 100644 index 0000000..3a5a1ef --- /dev/null +++ b/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 19 Sep 2019 10:23:08 +0200 +Subject: usbnet: sanity checking of packet sizes and device mtu + +From: Oliver Neukum <oneukum@suse.com> + +[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ] + +After a reset packet sizes and device mtu can change and need +to be reevaluated to calculate queue sizes. +Malicious devices can set this to zero and we divide by it. +Introduce sanity checking. + +Reported-and-tested-by: syzbot+6102c120be558c885f04@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/usb/usbnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -352,6 +352,8 @@ void usbnet_update_max_qlen(struct usbne + { + enum usb_device_speed speed = dev->udev->speed; + ++ if (!dev->rx_urb_size || !dev->hard_mtu) ++ goto insanity; + switch (speed) { + case USB_SPEED_HIGH: + dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size; +@@ -367,6 +369,7 @@ void usbnet_update_max_qlen(struct usbne + dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu; + break; + default: ++insanity: + dev->rx_qlen = dev->tx_qlen = 4; + } + } |