From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
James Hughes <james.hughes@raspberrypi.org>,
Arend van Spriel <arend.vanspriel@broadcom.com>,
Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH 4.11 04/28] brcmfmac: Ensure pointer correctly set if skb data location changes
Date: Thu, 11 May 2017 16:12:21 +0200 [thread overview]
Message-ID: <20170511141221.408155746@linuxfoundation.org> (raw)
In-Reply-To: <20170511141221.109842231@linuxfoundation.org>
4.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hughes <james.hughes@raspberrypi.org>
commit 455a1eb4654c24560eb9dfc634f29cba3d87601e upstream.
The incoming skb header may be resized if header space is
insufficient, which might change the data adddress in the skb.
Ensure that a cached pointer to that data is correctly set by
moving assignment to after any possible changes.
Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -198,7 +198,7 @@ static netdev_tx_t brcmf_netdev_start_xm
int ret;
struct brcmf_if *ifp = netdev_priv(ndev);
struct brcmf_pub *drvr = ifp->drvr;
- struct ethhdr *eh = (struct ethhdr *)(skb->data);
+ struct ethhdr *eh;
brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
@@ -236,6 +236,8 @@ static netdev_tx_t brcmf_netdev_start_xm
goto done;
}
+ eh = (struct ethhdr *)(skb->data);
+
if (eh->h_proto == htons(ETH_P_PAE))
atomic_inc(&ifp->pend_8021x_cnt);
next prev parent reply other threads:[~2017-05-11 14:12 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-11 14:12 [PATCH 4.11 00/28] 4.11.1-stable review Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 01/28] dm ioctl: prevent stack leak in dm ioctl call Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 02/28] drm/sti: fix GDP size to support up to UHD resolution Greg Kroah-Hartman
2017-05-11 14:12 ` Greg Kroah-Hartman [this message]
2017-05-11 14:12 ` [PATCH 4.11 05/28] brcmfmac: Make skb header writable before use Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 06/28] sparc64: fix fault handling in NGbzero.S and GENbzero.S Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 08/28] net: macb: fix phy interrupt parsing Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 09/28] tcp: fix access to sk->sk_state in tcp_poll() Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 10/28] geneve: fix incorrect setting of UDP checksum flag Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 11/28] bpf: enhance verifier to understand stack pointer arithmetic Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 12/28] bpf, arm64: fix jit branch offset related to ldimm64 Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 13/28] tcp: fix wraparound issue in tcp_lp Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 14/28] net: ipv6: Do not duplicate DAD on link up Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 16/28] tcp: do not inherit fastopen_req from parent Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 17/28] ipv4, ipv6: ensure raw socket message is big enough to hold an IP header Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 18/28] rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 19/28] ipv6: initialize route null entry in addrconf_init() Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 20/28] ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 21/28] tcp: randomize timestamps on syncookies Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 22/28] bnxt_en: allocate enough space for ->ntp_fltr_bmap Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 23/28] bpf: dont let ldimm64 leak map addresses on unprivileged Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 24/28] net: mdio-mux: bcm-iproc: call mdiobus_free() in error path Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 25/28] f2fs: sanity check segment count Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 26/28] xen/arm,arm64: fix xen_dma_ops after 815dd18 "Consolidate get_dma_ops..." Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 27/28] xen: Revert commits da72ff5bfcb0 and 72a9b186292d Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 28/28] block: get rid of blk_integrity_revalidate() Greg Kroah-Hartman
2017-05-12 15:25 ` [PATCH 4.11 00/28] 4.11.1-stable review Shuah Khan
2017-05-12 15:47 ` Greg Kroah-Hartman
2017-05-12 16:01 ` Shuah Khan
2017-05-15 14:36 ` Matt Fleming
2017-05-15 17:28 ` Shuah Khan
2017-05-25 11:39 ` Matt Fleming
2017-05-25 20:06 ` Ard Biesheuvel
2017-05-12 19:50 ` Guenter Roeck
2017-05-14 10:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170511141221.408155746@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=arend.vanspriel@broadcom.com \
--cc=james.hughes@raspberrypi.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).