From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Antonio Pastor <antonio.pastor@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 010/127] net: 802: LLC+SNAP OID:PID lookup on start of skb data
Date: Tue, 21 Jan 2025 18:51:22 +0100 [thread overview]
Message-ID: <20250121174530.072352519@linuxfoundation.org> (raw)
In-Reply-To: <20250121174529.674452028@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antonio Pastor <antonio.pastor@gmail.com>
[ Upstream commit 1e9b0e1c550c42c13c111d1a31e822057232abc4 ]
802.2+LLC+SNAP frames received by napi_complete_done() with GRO and DSA
have skb->transport_header set two bytes short, or pointing 2 bytes
before network_header & skb->data. This was an issue as snap_rcv()
expected offset to point to SNAP header (OID:PID), causing packet to
be dropped.
A fix at llc_fixup_skb() (a024e377efed) resets transport_header for any
LLC consumers that may care about it, and stops SNAP packets from being
dropped, but doesn't fix the problem which is that LLC and SNAP should
not use transport_header offset.
Ths patch eliminates the use of transport_header offset for SNAP lookup
of OID:PID so that SNAP does not rely on the offset at all.
The offset is reset after pull for any SNAP packet consumers that may
(but shouldn't) use it.
Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()")
Signed-off-by: Antonio Pastor <antonio.pastor@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250103012303.746521-1-antonio.pastor@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/802/psnap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/802/psnap.c b/net/802/psnap.c
index 4492e8d7ad20..ed6e17c8cce9 100644
--- a/net/802/psnap.c
+++ b/net/802/psnap.c
@@ -55,11 +55,11 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
goto drop;
rcu_read_lock();
- proto = find_snap_client(skb_transport_header(skb));
+ proto = find_snap_client(skb->data);
if (proto) {
/* Pass the frame on. */
- skb->transport_header += 5;
skb_pull_rcsum(skb, 5);
+ skb_reset_transport_header(skb);
rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
}
rcu_read_unlock();
--
2.39.5
next prev parent reply other threads:[~2025-01-21 18:08 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-21 17:51 [PATCH 5.15 000/127] 5.15.177-rc1 review Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 001/127] ceph: give up on paths longer than PATH_MAX Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 002/127] jbd2: flush filesystem device before updating tail sequence Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 003/127] dm array: fix releasing a faulty array block twice in dm_array_cursor_end Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 004/127] dm array: fix unreleased btree blocks on closing a faulty array cursor Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 005/127] dm array: fix cursor index when skipping across block boundaries Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 006/127] exfat: fix the infinite loop in exfat_readdir() Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 007/127] exfat: fix the infinite loop in __exfat_free_cluster() Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 008/127] ASoC: mediatek: disable buffer pre-allocation Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 009/127] ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Greg Kroah-Hartman
2025-01-21 17:51 ` Greg Kroah-Hartman [this message]
2025-01-21 17:51 ` [PATCH 5.15 011/127] tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 012/127] tcp/dccp: allow a connection when sk_max_ack_backlog is zero Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 013/127] net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 014/127] bnxt_en: Fix possible memory leak when hwrm_req_replace fails Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 015/127] cxgb4: Avoid removal of uninserted tid Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 016/127] tls: Fix tls_sw_sendmsg error handling Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 017/127] netfilter: nf_tables: imbalance in flowtable binding Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 018/127] netfilter: conntrack: clamp maximum hashtable size to INT_MAX Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 019/127] drm/mediatek: Add support for 180-degree rotation in the display driver Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 020/127] ksmbd: fix a missing return value check bug Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 021/127] afs: Fix the maximum cell name length Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 022/127] dm thin: make get_first_thin use rcu-safe list first function Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 023/127] dm-ebs: dont set the flag DM_TARGET_PASSES_INTEGRITY Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 024/127] sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 025/127] sctp: sysctl: rto_min/max: " Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 026/127] sctp: sysctl: auth_enable: " Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 027/127] sctp: sysctl: udp_port: " Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 028/127] sctp: sysctl: plpmtud_probe_interval: " Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 029/127] drm/amd/display: Add check for granularity in dml ceil/floor helpers Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 030/127] riscv: Fix sleeping in invalid context in die() Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 031/127] ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 032/127] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 033/127] drm/amd/display: increase MAX_SURFACES to the value supported by hw Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 034/127] drivers/block/zram/zram_drv.c: do not keep dangling zcomp pointer after zram reset Greg Kroah-Hartman
2025-01-22 0:21 ` Dominique Martinet
2025-01-22 8:05 ` Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 035/127] zram: check comp is non-NULL before calling comp_destroy Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 036/127] zram: fix uninitialized ZRAM not releasing backing device Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 037/127] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 038/127] md/raid5: fix atomicity violation in raid5_cache_count Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 039/127] USB: serial: option: add MeiG Smart SRM815 Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 040/127] USB: serial: option: add Neoway N723-EA support Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 041/127] staging: iio: ad9834: Correct phase range check Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 042/127] staging: iio: ad9832: " Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 043/127] usb-storage: Add max sectors quirk for Nokia 208 Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 044/127] USB: serial: cp210x: add Phoenix Contact UPS Device Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 045/127] usb: dwc3: gadget: fix writing NYET threshold Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 046/127] topology: Keep the cpumask unchanged when printing cpumap Greg Kroah-Hartman
2025-01-21 17:51 ` [PATCH 5.15 047/127] usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 048/127] USB: usblp: return error when setting unsupported protocol Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 049/127] USB: core: Disable LPM only for non-suspended ports Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 050/127] usb: fix reference leak in usb_new_device() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 051/127] usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 052/127] usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 053/127] iio: pressure: zpa2326: fix information leak in triggered buffer Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 054/127] iio: dummy: iio_simply_dummy_buffer: " Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 055/127] iio: light: vcnl4035: " Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 056/127] iio: imu: kmx61: " Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 057/127] iio: adc: ti-ads8688: " Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 058/127] iio: gyro: fxas21002c: Fix missing data update in trigger handler Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 059/127] iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 060/127] iio: adc: at91: call input_free_device() on allocated iio_dev Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 061/127] iio: inkern: call iio_device_put() only on mapped devices Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 062/127] iio: adc: ad7124: Disable all channels at probe time Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 063/127] block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 064/127] arm64: dts: rockchip: add hevc power domain clock to rk3328 Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 065/127] of: unittest: Add bus address range parsing tests Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 066/127] of/address: Add support for 3 address cell bus Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 067/127] of: address: Fix address translation when address-size is greater than 2 Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 068/127] of: address: Remove duplicated functions Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 069/127] of: address: Store number of bus flag cells rather than bool Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 070/127] of: address: Preserve the flags portion on 1:1 dma-ranges mapping Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 071/127] phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 072/127] phy: usb: Toggle the PHY power during init Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 073/127] ocfs2: correct return value of ocfs2_local_free_info() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 074/127] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 075/127] mptcp: drop port parameter of mptcp_pm_add_addr_signal Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 076/127] mptcp: fix TCP options overflow Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 077/127] phy: usb: Use slow clock for wake enabled suspend Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 078/127] phy: usb: Fix clock imbalance for suspend/resume Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 079/127] net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 080/127] bpf: Fix bpf_sk_select_reuseport() memory leak Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 081/127] pktgen: Avoid out-of-bounds access in get_imix_entries Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 082/127] net: add exit_batch_rtnl() method Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 083/127] gtp: use " Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 084/127] gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 085/127] gtp: Destroy device along with udp sockets netns dismantle Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 086/127] nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 087/127] net: xilinx: axienet: Fix IRQ coalescing packet count overflow Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 088/127] net/mlx5: Add priorities for counters in RDMA namespaces Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 089/127] net/mlx5: Refactor mlx5_get_flow_namespace Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 090/127] net/mlx5: Fix RDMA TX steering prio Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 091/127] drm/v3d: Ensure job pointer is set to NULL after job completion Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 092/127] hwmon: (tmp513) Fix division of negative numbers Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 093/127] Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 094/127] i2c: mux: demux-pinctrl: check initial mux selection, too Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 095/127] i2c: rcar: fix NACK handling when being a target Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 096/127] mac802154: check local interfaces before deleting sdata list Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 097/127] hfs: Sanity check the root record Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 098/127] fs: fix missing declaration of init_files Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 099/127] kheaders: Ignore silly-rename files Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 100/127] ACPI: resource: acpi_dev_irq_override(): Check DMI match last Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 101/127] poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 102/127] nvmet: propagate npwg topology Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 103/127] zram: fix potential UAF of zram table Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 104/127] x86/asm: Make serialize() always_inline Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 105/127] net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 106/127] vsock/virtio: cancel close work in the destructor Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 5.15 107/127] vsock: reset socket state when de-assigning the transport Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 108/127] vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 109/127] filemap: avoid truncating 64-bit offset to 32 bits Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 110/127] fs/proc: fix softlockup in __read_vmcore (part 2) Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 111/127] gpiolib: cdev: Fix use after free in lineinfo_changed_notify Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 112/127] irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 113/127] hrtimers: Handle CPU state correctly on hotplug Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 114/127] drm/i915/fb: Relax clear color alignment to 64 bytes Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 115/127] Revert "PCI: Use preserve_config in place of pci_flags" Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 116/127] iio: imu: inv_icm42600: fix spi burst write not supported Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 117/127] iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 118/127] iio: adc: rockchip_saradc: fix information leak in triggered buffer Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 119/127] Revert "drm/amdgpu: rework resume handling for display (v2)" Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 120/127] Revert "regmap: detach regmap from dev on regmap_exit" Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 121/127] blk-cgroup: Fix UAF in blkcg_unpin_online() Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 122/127] vsock/virtio: discard packets if the transport changes Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 123/127] ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 124/127] nfsd: add list_head nf_gc to struct nfsd_file Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 125/127] x86/xen: fix SLS mitigation in xen_hypercall_iret() Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 126/127] scsi: sg: Fix slab-use-after-free read in sg_release() Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 5.15 127/127] net: fix data-races around sk->sk_forward_alloc Greg Kroah-Hartman
2025-01-21 18:29 ` [PATCH 5.15 000/127] 5.15.177-rc1 review Florian Fainelli
2025-01-21 23:36 ` Shuah Khan
2025-01-21 23:45 ` SeongJae Park
2025-01-22 13:08 ` Vijayendra Suman
2025-01-22 13:23 ` Jon Hunter
2025-01-22 20:15 ` [PATCH 5.15] " Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250121174530.072352519@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=antonio.pastor@gmail.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox