/* * Copyright (C) 2015 Russell King * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This assembly is required to safely remap the physical address space * for Keystone 2 */ #include #include #include #include #include .section ".idmap.text", "ax" #define L1_ORDER 3 #define L2_ORDER 3 ENTRY(lpae_pgtables_remap_asm) stmfd sp!, {r4-r8, lr} mrc p15, 0, r8, c1, c0, 0 @ read control reg bic ip, r8, #CR_M @ disable caches and MMU mcr p15, 0, ip, c1, c0, 0 dsb isb /* Update level 2 entries covering the kernel */ ldr r6, =(_end - 1) add r7, r2, #0x1000 add r6, r7, r6, lsr #SECTION_SHIFT - L2_ORDER add r7, r7, #PAGE_OFFSET >> (SECTION_SHIFT - L2_ORDER) 1: ldrd r4, [r7] adds r4, r4, r0 adc r5, r5, r1 strd r4, [r7], #1 << L2_ORDER cmp r7, r6 bls 1b /* Update level 2 entries for the boot data */ add r7, r2, #0x1000 add r7, r7, r3, lsr #SECTION_SHIFT - L2_ORDER bic r7, r7, #(1 << L2_ORDER) - 1 ldrd r4, [r7] adds r4, r4, r0 adc r5, r5, r1 strd r4, [r7], #1 << L2_ORDER ldrd r4, [r7] adds r4, r4, r0 adc r5, r5, r1 strd r4, [r7] /* Update level 1 entries */ mov r6, #4 mov r7, r2 2: ldrd r4, [r7] adds r4, r4, r0 adc r5, r5, r1 strd r4, [r7], #1 << L1_ORDER subs r6, r6, #1 bne 2b mrrc p15, 0, r4, r5, c2 @ read TTBR0 adds r4, r4, r0 @ update physical address adc r5, r5, r1 mcrr p15, 0, r4, r5, c2 @ write back TTBR0 mrrc p15, 1, r4, r5, c2 @ read TTBR1 adds r4, r4, r0 @ update physical address adc r5, r5, r1 mcrr p15, 1, r4, r5, c2 @ write back TTBR1 dsb mov ip, #0 mcr p15, 0, ip, c7, c5, 0 @ I+BTB cache invalidate mcr p15, 0, ip, c8, c7, 0 @ local_flush_tlb_all() dsb isb mcr p15, 0, r8, c1, c0, 0 @ re-enable MMU dsb isb ldmfd sp!, {r4-r8, pc} ENDPROC(lpae_pgtables_remap_asm) git.cgi/linux/net-next.git/commit/include/net/9p/client.h?h=nds-private-remove&id=b3f2d07f4649adcf6905953a10d217b5683e4077'>commitdiff
path: root/include/net/9p/client.h
f5d61'>netlabel: out of bound access in cipso_v4_validate()
AgeCommit message (Expand)AuthorFilesLines
Eric Dumazet1-0/+4
syzkaller found another out of bound access in ip_options_compile(), or more exactly in cipso_v4_validate() Fixes: 20e2a8648596 ("cipso: handle CIPSO options correctly when NetLabel is disabled") Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Paul Moore <paul@paul-moore.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-31ipv6: fix flow labels when the traffic class is non-0Dimitris Michailidis1-0/+5
ip6_make_flowlabel() determines the flow label for IPv6 packets. It's supposed to be passed a flow label, which it returns as is if non-0 and in some other cases, otherwise it calculates a new value. The problem is callers often pass a flowi6.flowlabel, which may also contain traffic class bits. If the traffic class is non-0 ip6_make_flowlabel() mistakes the non-0 it gets as a flow label and returns the whole thing. Thus it can return a 'flow label' longer than 20b and the low 20b of that is typically 0 resulting in packets with 0 label. Moreover, different packets of a flow may be labeled differently. For a TCP flow with ECN non-payload and payload packets get different labels as exemplified by this pair of consecutive packets: (pure ACK) Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2:: 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT) .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0) .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0) .... .... .... 0001 1100 1110 0100 1001 = Flow Label: 0x1ce49 Payload Length: 32 Next Header: TCP (6) (payload) Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2:: 0110 .... = Version: 6 .... 0000 0010 .... .... .... .... .... = Traffic Class: 0x02 (DSCP: CS0, ECN: ECT(0)) .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0) .... .... ..10 .... .... .... .... .... = Explicit Congestion Notification: ECN-Capable Transport codepoint '10' (2) .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000 Payload Length: 688 Next Header: TCP (6) This patch allows ip6_make_flowlabel() to be passed more than just a flow label and has it extract the part it really wants. This was simpler than modifying the callers. With this patch packets like the above become Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2:: 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT) .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0) .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0) .... .... .... 1010 1111 1010 0101 1110 = Flow Label: 0xafa5e Payload Length: 32 Next Header: TCP (6) Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2:: 0110 .... = Version: 6 .... 0000 0010 .... .... .... .... .... = Traffic Class: 0x02 (DSCP: CS0, ECN: ECT(0)) .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0) .... .... ..10 .... .... .... .... .... = Explicit Congestion Notification: ECN-Capable Transport codepoint '10' (2) .... .... .... 1010 1111 1010 0101 1110 = Flow Label: 0xafa5e Payload Length: 688 Next Header: TCP (6) Signed-off-by: Dimitris Michailidis <dmichail@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>