diff options
author | Greg Kroah-Hartman <gregkh@google.com> | 2019-01-13 10:34:49 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@google.com> | 2019-01-13 10:34:49 +0100 |
commit | 241f76b17c3623dcb40911ac7fdc56c35f3095bf (patch) | |
tree | 068c14aa06e17f7f026ea9470a9bc7def0ed61cf /net/ipv6 | |
parent | a956c6a1637430223e94d12e75e5003de294f095 (diff) | |
parent | b83b3fa78445387f351cef477a112e503d72b9f0 (diff) |
Merge 4.4.170 into android-4.4
Changes in 4.4.170
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
USB: serial: option: add GosunCn ZTE WeLink ME3630
USB: serial: option: add HP lt4132
USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
USB: serial: option: add Fibocom NL668 series
USB: serial: option: add Telit LN940 series
mmc: core: Reset HPI enabled state during re-init and in case of errors
mmc: omap_hsmmc: fix DMA API warning
gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
x86/mtrr: Don't copy uninitialized gentry fields back to userspace
drm/ioctl: Fix Spectre v1 vulnerabilities
ip6mr: Fix potential Spectre v1 vulnerability
ipv4: Fix potential Spectre v1 vulnerability
ax25: fix a use-after-free in ax25_fillin_cb()
ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
ieee802154: lowpan_header_create check must check daddr
ipv6: explicitly initialize udp6_addr in udp_sock_create6()
isdn: fix kernel-infoleak in capi_unlocked_ioctl
netrom: fix locking in nr_find_socket()
packet: validate address length
packet: validate address length if non-zero
sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
vhost: make sure used idx is seen before log in vhost_add_used_n()
VSOCK: Send reset control packet when socket is partially bound
xen/netfront: tolerate frags with no data
gro_cell: add napi_disable in gro_cells_destroy
sock: Make sock->sk_stamp thread-safe
ALSA: rme9652: Fix potential Spectre v1 vulnerability
ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
ALSA: pcm: Fix potential Spectre v1 vulnerability
ALSA: emux: Fix potential Spectre v1 vulnerabilities
ALSA: hda: add mute LED support for HP EliteBook 840 G4
ALSA: hda/tegra: clear pending irq handlers
USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays
USB: serial: option: add Fibocom NL678 series
usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()
Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G
KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup
perf pmu: Suppress potential format-truncation warning
ext4: fix possible use after free in ext4_quota_enable
ext4: missing unlock/put_page() in ext4_try_to_write_inline_data()
ext4: fix EXT4_IOC_GROUP_ADD ioctl
ext4: force inode writes when nfsd calls commit_metadata()
spi: bcm2835: Fix race on DMA termination
spi: bcm2835: Fix book-keeping of DMA termination
spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode
cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader.
media: vivid: free bitmap_cap when updating std/timings/etc.
MIPS: Ensure pmd_present() returns false after pmd_mknotpresent()
MIPS: Align kernel load address to 64KB
CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem
x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested
spi: bcm2835: Unbreak the build of esoteric configs
powerpc: Fix COFF zImage booting on old powermacs
ARM: imx: update the cpu power up timing setting on i.mx6sx
Input: restore EV_ABS ABS_RESERVED
checkstack.pl: fix for aarch64
xfrm: Fix bucket count reported to userspace
scsi: bnx2fc: Fix NULL dereference in error handling
Input: omap-keypad - fix idle configuration to not block SoC idle states
scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown
fork: record start_time late
hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL
mm, devm_memremap_pages: kill mapping "System RAM" support
sunrpc: fix cache_head leak due to queued request
sunrpc: use SVC_NET() in svcauth_gss_* functions
crypto: x86/chacha20 - avoid sleeping with preemption disabled
ALSA: cs46xx: Potential NULL dereference in probe
ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
dlm: fixed memory leaks after failed ls_remove_names allocation
dlm: possible memory leak on error path in create_lkb()
dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
dlm: memory leaks on error path in dlm_user_request()
gfs2: Fix loop in gfs2_rbm_find
b43: Fix error in cordic routine
9p/net: put a lower bound on msize
iommu/vt-d: Handle domain agaw being less than iommu agaw
ceph: don't update importing cap's mseq when handing cap export
genwqe: Fix size check
intel_th: msu: Fix an off-by-one in attribute store
power: supply: olpc_battery: correct the temperature units
Linux 4.4.170
Change-Id: I1b2927583f8853bfeb3ad11d045c2cf5c5c926f3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/ip6_udp_tunnel.c | 3 | ||||
-rw-r--r-- | net/ipv6/ip6mr.c | 4 |
2 files changed, 6 insertions, 1 deletions
diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c index 14dacf1df529..30b03d8e321a 100644 --- a/net/ipv6/ip6_udp_tunnel.c +++ b/net/ipv6/ip6_udp_tunnel.c @@ -15,7 +15,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, struct socket **sockp) { - struct sockaddr_in6 udp6_addr; + struct sockaddr_in6 udp6_addr = {}; int err; struct socket *sock = NULL; @@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, goto error; if (cfg->peer_udp_port) { + memset(&udp6_addr, 0, sizeof(udp6_addr)); udp6_addr.sin6_family = AF_INET6; memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6, sizeof(udp6_addr.sin6_addr)); diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c index 9b92960f024d..74b3e9718e84 100644 --- a/net/ipv6/ip6mr.c +++ b/net/ipv6/ip6mr.c @@ -72,6 +72,8 @@ struct mr6_table { #endif }; +#include <linux/nospec.h> + struct ip6mr_rule { struct fib_rule common; }; @@ -1871,6 +1873,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg) return -EFAULT; if (vr.mifi >= mrt->maxvif) return -EINVAL; + vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif); read_lock(&mrt_lock); vif = &mrt->vif6_table[vr.mifi]; if (MIF_EXISTS(mrt, vr.mifi)) { @@ -1945,6 +1948,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg) return -EFAULT; if (vr.mifi >= mrt->maxvif) return -EINVAL; + vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif); read_lock(&mrt_lock); vif = &mrt->vif6_table[vr.mifi]; if (MIF_EXISTS(mrt, vr.mifi)) { |