tmp_suning_uos_patched

History

David S. Miller 676d23690f net: Fix use after free by removing length arg from sk_data_ready callbacks. Several spots in the kernel perform a sequence like: skb_queue_tail(&sk->s_receive_queue, skb); sk->sk_data_ready(sk, skb->len); But at the moment we place the SKB onto the socket receive queue it can be consumed and freed up. So this skb->len access is potentially to freed up memory. Furthermore, the skb->len can be modified by the consumer so it is possible that the value isn't accurate. And finally, no actual implementation of this callback actually uses the length argument. And since nobody actually cared about it's value, lots of call sites pass arbitrary values in such as '0' and even '1'. So just remove the length argument from the callback, that way there is no confusion whatsoever and all of these use-after-free cases get fixed as a side effect. Based upon a patch by Eric Dumazet and his suggestion to audit this issue tree-wide. Signed-off-by: David S. Miller <davem@davemloft.net>		2014-04-11 16:15:36 -04:00
..
9p
802
8021q
appletalk
atm	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
ax25	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
batman-adv
bluetooth	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
bridge
caif	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
can
ceph	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
core	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
dcb
dccp	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
decnet	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
dns_resolver
dsa
ethernet
hsr
ieee802154
ipv4	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
ipv6
ipx
irda
iucv	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
key	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
l2tp
lapb
llc
mac80211
mac802154
mpls
netfilter
netlabel
netlink	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
netrom	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
nfc	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
openvswitch
packet	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
phonet	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
rds	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
rfkill
rose	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
rxrpc	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
sched
sctp	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
sunrpc	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
tipc	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
unix	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
vmw_vsock	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
wimax
wireless
x25	net: Fix use after free by removing length arg from sk_data_ready callbacks.	2014-04-11 16:15:36 -04:00
xfrm
compat.c
Kconfig
Makefile
nonet.c
socket.c
sysctl_net.c