Pavel Skripkin 1dad483b1e net/qrtr: fix __netdev_alloc_skb call ... commit 093b036aa94e01a0bea31a38d7f0ee28a2749023 upstream. syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= MAX_ORDER. It was caused by a huge length value passed from userspace to qrtr_tun_write_iter(), which tries to allocate skb. Since the value comes from the untrusted source there is no need to raise a warning in __alloc_pages_nodemask(). [1] WARNING in __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5014 Call Trace: __alloc_pages include/linux/gfp.h:511 [inline] __alloc_pages_node include/linux/gfp.h:524 [inline] alloc_pages_node include/linux/gfp.h:538 [inline] kmalloc_large_node+0x60/0x110 mm/slub.c:3999 __kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496 __kmalloc_reserve net/core/skbuff.c:150 [inline] __alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210 __netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446 netdev_alloc_skb include/linux/skbuff.h:2832 [inline] qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442 qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98 call_write_iter include/linux/fs.h:1901 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x791/0xa30 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Acked-by: Alexander Lobakin <alobakin@pm.me> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2021-03-24 11:26:39 +01:00
..
6lowpan	6lowpan: no need to check return value of debugfs_create functions	2019-07-06 12:50:01 +02:00
9p	net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid	2020-11-05 11:43:20 +01:00
802	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500	2019-06-19 17:09:55 +02:00
8021q	net: vlan: avoid leaks on register_vlan_dev() failures	2021-01-17 14:05:31 +01:00
appletalk	appletalk: Fix atalk_proc_init() return path	2020-08-11 15:33:40 +02:00
atm	atm: fix a memory leak of vcc->user_back	2020-10-01 13:17:58 +02:00
ax25	AX.25: Prevent integer overflows in connect and sendmsg	2020-07-31 18:39:31 +02:00
batman-adv	batman-adv: set .owner to THIS_MODULE	2020-12-02 08:49:50 +01:00
bluetooth	Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data	2021-03-07 12:20:45 +01:00
bpf	bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN	2019-07-25 18:00:41 -07:00
bpfilter	net/bpfilter: remove superfluous testing message	2020-04-21 09:04:53 +02:00
bridge	net: bridge: use switchdev for port flags set through sysfs too	2021-03-07 12:20:43 +01:00
caif	net: use skb_queue_empty_lockless() in poll() handlers	2019-10-28 13:33:41 -07:00
can	can: af_can: can_rx_unregister(): remove WARN() statement from list operation sanity check	2020-12-11 13:23:32 +01:00
ceph	libceph: clear con->out_msg on Policy::stateful_server faults	2020-11-05 11:43:34 +01:00
core	pktgen: fix misuse of BUG_ON() in pktgen_thread_worker()	2021-03-07 12:20:44 +01:00
dcb	net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands	2021-01-23 15:57:59 +01:00
dccp	dccp: Fix possible memleak in dccp_init and dccp_fini	2020-06-17 16:40:32 +02:00
decnet	net: add bool confirm_neigh parameter for dst_ops.update_pmtu	2020-01-04 19:18:58 +01:00
dns_resolver	KEYS: Don't write out to userspace while holding key semaphore	2020-04-23 10:36:45 +02:00
dsa	net: dsa: tag_mtk: fix 802.1ad VLAN egress	2021-03-20 10:39:47 +01:00
ethernet	net: add annotations on hh->hh_len lockless accesses	2020-01-09 10:20:06 +01:00
hsr	hsr: check protocol version in hsr_newlink()	2020-04-21 09:04:44 +02:00
ieee802154	nl802154: add missing attribute validation for dev_type	2020-03-18 07:17:44 +01:00
ife	net: Fix Kconfig indentation	2019-09-26 08:56:17 +02:00
ipv4	cipso,calipso: resolve a number of problems with the DOI refcounts	2021-03-17 17:03:35 +01:00
ipv6	cipso,calipso: resolve a number of problems with the DOI refcounts	2021-03-17 17:03:35 +01:00
iucv	net/af_iucv: remove WARN_ONCE on malformed RX packets	2021-03-07 12:20:42 +01:00
kcm	kcm: disable preemption in kcm_parse_func_strparser()	2019-09-27 10:27:14 +02:00
key	af_key: relax availability checks for skb size calculation	2021-02-13 13:52:54 +01:00
l2tp	l2tp: remove skb_dst_set() from l2tp_xmit_skb()	2020-07-22 09:32:47 +02:00
l3mdev	ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF	2019-06-23 13:24:17 -07:00
lapb	net: lapb: Copy the skb before sending a packet	2021-02-10 09:25:28 +01:00
llc	net: silence data-races on sk_backlog.tail	2020-10-01 13:17:15 +02:00
mac80211	mac80211: fix potential overflow when multiplying to u32 integers	2021-03-04 10:26:17 +01:00
mac802154	mac802154: tx: fix use-after-free	2020-10-01 13:18:17 +02:00
mpls	net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0	2021-03-17 17:03:31 +01:00
ncsi	net/ncsi: Use real net-device for response handler	2021-01-12 20:16:13 +01:00
netfilter	netfilter: x_tables: gpf inside xt_find_revision()	2021-03-17 17:03:32 +01:00
netlabel	cipso,calipso: resolve a number of problems with the DOI refcounts	2021-03-17 17:03:35 +01:00
netlink	genetlink: remove genl_bind	2020-07-22 09:32:46 +02:00
netrom	net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node	2020-04-29 16:33:08 +02:00
nfc	NFC: fix possible resource leak	2021-02-03 23:26:01 +01:00
nsh	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500	2019-06-19 17:09:55 +02:00
openvswitch	net: openvswitch: ensure LSE is pullable before reading it	2020-12-08 10:40:27 +01:00
packet	net/packet: fix overflow in tpacket_rcv	2020-09-09 19:12:29 +02:00
phonet	net: use skb_queue_empty_lockless() in poll() handlers	2019-10-28 13:33:41 -07:00
psample	net: psample: fix skb_over_panic	2019-12-04 22:30:54 +01:00
qrtr	net/qrtr: fix __netdev_alloc_skb call	2021-03-24 11:26:39 +01:00
rds	net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS	2021-02-17 10:35:19 +01:00
rfkill	rfkill: Fix use-after-free in rfkill_resume()	2020-11-24 13:29:05 +01:00
rose	rose: Fix Null pointer dereference in rose_send_frame()	2020-12-08 10:40:23 +01:00
rxrpc	rxrpc: Fix clearance of Tx/Rx ring when releasing a call	2021-02-17 10:35:18 +01:00
sched	net: sched: avoid duplicates in classes dump	2021-03-17 17:03:35 +01:00
sctp	net: fix iteration for sctp transport seq_files	2021-02-17 10:35:19 +01:00
smc	net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid()	2020-11-24 13:28:58 +01:00
strparser	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2019-06-22 08:59:24 -04:00
sunrpc	sunrpc: fix refcount leak for rpc auth modules	2021-03-24 11:26:39 +01:00
switchdev	net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP	2021-02-07 15:35:46 +01:00
tipc	tipc: fix NULL deref in tipc_link_xmit()	2021-01-23 15:58:00 +01:00
tls	net/tls: Protect from calling tls_dev_del for TLS RX twice	2020-12-08 10:40:23 +01:00
unix	skbuff: fix a data race in skb_queue_len()	2020-10-01 13:17:31 +02:00
vmw_vsock	vsock: fix locking in vsock_shutdown()	2021-02-17 10:35:19 +01:00
wimax	wimax: no need to check return value of debugfs_create functions	2019-08-10 15:25:47 -07:00
wireless	wext: fix NULL-ptr-dereference with cfg80211's lack of commit()	2021-02-03 23:25:56 +01:00
x25	net/x25: prevent a couple of overflows	2020-12-08 10:40:26 +01:00
xdp	xsk: Replace datagram_poll by sock_poll_wait	2020-12-30 11:50:53 +01:00
xfrm	xfrm: interface: use icmp_ndo_send helper	2021-03-04 10:26:53 +01:00
compat.c	net/compat: Add missing sock updates for SCM_RIGHTS	2020-08-21 13:05:25 +02:00
Kconfig	net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build	2020-04-01 11:02:18 +02:00
Makefile
socket.c	net: Set fput_needed iff FDPUT_FPUT is set	2020-08-19 08:16:22 +02:00
sysctl_net.c	treewide: Add SPDX license identifier for missed files	2019-05-21 10:50:45 +02:00