Re: [PATCH] net: fm10k: check size from dma region

On Sat, Jul 04, 2020 at 12:41:07PM -0700, Alexander Duyck wrote: > On Sat, Jul 4, 2020 at 9:37 AM Zekun Shen wrote: > > > > On Sat, Jul 04, 2020 at 09:05:48AM -0700, Alexander Duyck wrote: > > > The upper limitation for the size should be 2K or FM10K_RX_BUFSZ, not > &

Re: [PATCH] net: fm10k: check size from dma region

On Sat, Jul 04, 2020 at 09:05:48AM -0700, Alexander Duyck wrote: > The upper limitation for the size should be 2K or FM10K_RX_BUFSZ, not > PAGE_SIZE. Otherwise you are still capable of going out of bounds > because the offset is used within the page to push the start of the > region up by 2K. PAGE_

[PATCH] net: fm10k: check size from dma region

Size is read from a dma region as input from device. Add sanity check of size before calling dma_sync_single_range_for_cpu with it. This would prevent DMA-API warning: device driver tries to sync DMA memory it has not allocated. Signed-off-by: Zekun Shen --- drivers/net/ethernet/intel/fm10k

[PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n

The idx can also be negative as it's signed, giving a large memory space to write to. It's possibly exploitable by corruptting a legit pointer with a skb pointer. And then fill skb with payload as rougue object. Signed-off-by: Zekun Shen --- Part of the log here. Sometimes it appear

[PATCH] net: ath10k: santity check for ep connectivity

Function ep_rx_complete is being called without NULL checking in ath10k_htc_rx_completion_handler. Without such check, mal- formed packet is able to cause jump to NULL. ep->service_id seems a good candidate for sanity check as it is used in usb.c. Signed-off-by: Zekun Shen --- drivers/

[PATCH] net: ath10k: fix memcpy size from untrusted input

s" in ath10k_pci_bmi_recv_data, which is set inside _ath10k_ce_completed_recv_next_nolock with the line nbytes = __le16_to_cpu(sdesc.nbytes); sdesc is a stream dma region which device can write to. Signed-off-by: Zekun Shen --- KASAN report stacktrace: [

[PATCH v2] net: alx: fix race condition in alx_remove

ain, alx_free_irq is moved before cancel_work_sync calls too. Signed-off-by: Zekun Shen --- Changes in v2: - move alx_free_irq before cancel_work_sync calls - prevent another interrupt to cause race condition drivers/net/ethernet/atheros/alx/main.c | 9 + 1 file changed, 5 insertions(+)

[PATCH] net: alx: fix race condition in alx_remove

termination and invoked before alx_remove, a null-ptr-deref occurs because both expect alx->napis[i]. This patch fix the race condition by moving cancel_work_sync functions before alx_free_napis inside alx_stop. Signed-off-by: Zekun Shen --- drivers/net/ethernet/atheros/alx/main.c | 6 +++--- 1 f