linux/drivers/scsi
David S. Miller 676d23690f net: Fix use after free by removing length arg from sk_data_ready callbacks.
Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-11 16:15:36 -04:00
..
aacraid [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
aic7xxx [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
aic94xx [SCSI] libsas: implement > 16 byte CDB support 2013-06-04 11:15:59 -07:00
arcmsr [SCSI] arcmsr: upper 32 of dma address lost 2014-03-15 10:19:19 -07:00
arm [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
be2iscsi Merge branch 'for-3.15/core' of git://git.kernel.dk/linux-block 2014-04-01 19:19:15 -07:00
bfa [SCSI] bfa: Replace large udelay() with mdelay() 2014-03-19 15:04:47 -07:00
bnx2fc CPU hotplug notifiers registration fixes for 3.15-rc1 2014-04-07 14:55:46 -07:00
bnx2i CPU hotplug notifiers registration fixes for 3.15-rc1 2014-04-07 14:55:46 -07:00
csiostor Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-11-15 16:47:22 -08:00
cxgbi [SCSI] cxgb4i: Use cxgb4_select_ntuple to correctly calculate ntuple fields 2014-03-15 10:19:18 -07:00
device_handler [SCSI] scsi_dh_alua: ALUA handler attach should succeed while TPG is transitioning 2013-10-25 11:19:33 +01:00
dpt
esas2r [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
fcoe scsi, fcoe: Fix CPU hotplug callback registration 2014-03-20 13:43:45 +01:00
fnic Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-11-15 16:47:22 -08:00
ibmvscsi [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
isci [SCSI] isci: update version to 1.2 2014-03-15 10:19:17 -07:00
libfc fcp: Do not interpret check condition as underrun 2013-09-04 13:52:35 -07:00
libsas SCSI misc on 20140401 2014-04-01 18:49:04 -07:00
lpfc [SCSI] lpfc: use NULL instead of 0 for pointer 2014-03-15 10:18:58 -07:00
megaraid [SCSI] megaraid_sas: Version and Changelog update 2014-03-15 10:19:21 -07:00
mpt2sas Merge branch 'for-3.14/core' of git://git.kernel.dk/linux-block 2014-01-30 11:19:05 -08:00
mpt3sas Merge branch 'for-3.14/core' of git://git.kernel.dk/linux-block 2014-01-30 11:19:05 -08:00
mvsas SCSI: remove unnecessary pci_set_drvdata() 2013-10-14 15:26:04 +02:00
osd block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
pcmcia nsp_cs: switch to ->show_info() 2013-04-09 14:13:21 -04:00
pm8001 [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
qla2xxx SCSI misc on 20140401 2014-04-01 18:49:04 -07:00
qla4xxx [SCSI] libiscsi: Reduce locking contention in fast path 2014-03-15 10:19:18 -07:00
sym53c8xx_2 PCI: Convert pcibios_resource_to_bus() to take a pci_bus, not a pci_dev 2013-12-21 10:06:10 -07:00
ufs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-11-15 16:47:22 -08:00
.gitignore
3w-9xxx.c [SCSI] Disable WRITE SAME for RAID and virtual host adapter drivers 2013-11-29 08:48:39 +04:00
3w-9xxx.h
3w-sas.c [SCSI] Disable WRITE SAME for RAID and virtual host adapter drivers 2013-11-29 08:48:39 +04:00
3w-sas.h
3w-xxxx.c [SCSI] Disable WRITE SAME for RAID and virtual host adapter drivers 2013-11-29 08:48:39 +04:00
3w-xxxx.h
53c700_d.h_shipped
53c700.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
53c700.h
53c700.scr
a100u2w.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
a100u2w.h
a2091.c zorro: ZTWO_VADDR() should return "void __iomem *" 2013-11-26 11:09:07 +01:00
a2091.h
a3000.c zorro: ZTWO_VADDR() should return "void __iomem *" 2013-11-26 11:09:07 +01:00
a3000.h
a4000t.c zorro: ZTWO_VADDR() should return "void __iomem *" 2013-11-26 11:09:07 +01:00
advansys.c [SCSI] advansys: Remove 'last_reset' references 2013-10-25 11:44:54 +01:00
aha152x.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
aha152x.h
aha1542.c treewide: Put a space between #include and FILE 2012-06-28 11:44:36 +02:00
aha1542.h
aha1740.c aha1740: switch to ->show_info() 2013-04-09 14:13:23 -04:00
aha1740.h
atari_NCR5380.c atari_scsi: switch to ->show_info() 2013-04-09 14:13:29 -04:00
atari_scsi.c [SCSI] atari_scsi: Fix sleep_on race 2014-03-10 21:15:09 +01:00
atari_scsi.h atari_scsi: switch to ->show_info() 2013-04-09 14:13:29 -04:00
atp870u.c SCSI: remove unnecessary pci_set_drvdata() 2013-10-14 15:26:04 +02:00
atp870u.h
BusLogic.c [SCSI] buslogic: Added check for DMA mapping errors 2013-10-25 09:57:57 +01:00
BusLogic.h [SCSI] BusLogic: Port driver to 64-bit. 2013-06-26 18:32:47 -07:00
bvme6000_scsi.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
ch.c scsi: convert to idr_alloc() 2013-02-27 19:10:18 -08:00
constants.c [SCSI] scsi constants: command, sense key + additional sense strings 2013-07-09 22:52:29 +01:00
dc395x.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-11-15 16:47:22 -08:00
dc395x.h
dmx3191d.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
dpt_i2o.c [SCSI] dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset 2013-10-25 11:40:42 +01:00
dpti.h [SCSI] dpt_i2o: Remove DPTI_STATE_IOCTL 2013-10-25 11:36:26 +01:00
dtc.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
dtc.h NCR5830: switch to ->show_info() 2013-04-09 14:13:17 -04:00
eata_generic.h
eata_pio.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
eata_pio.h
eata.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
esp_scsi.c esp_scsi: Fix tag state corruption when autosensing. 2013-08-01 18:08:34 -07:00
esp_scsi.h esp_scsi: Fix tag state corruption when autosensing. 2013-08-01 18:08:34 -07:00
fdomain.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
fdomain.h
FlashPoint.c [SCSI] BusLogic: Port driver to 64-bit. 2013-06-26 18:32:47 -07:00
g_NCR5380_mmio.c
g_NCR5380.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
g_NCR5380.h
gdth_ioctl.h
gdth_proc.c gdth: switch to ->show_info() 2013-04-09 14:13:16 -04:00
gdth_proc.h gdth: switch to ->show_info() 2013-04-09 14:13:16 -04:00
gdth.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
gdth.h gdth: switch to ->show_info() 2013-04-09 14:13:16 -04:00
gvp11.c zorro: ZTWO_VADDR() should return "void __iomem *" 2013-11-26 11:09:07 +01:00
gvp11.h
hosts.c [SCSI] scsi_error: disable eh_deadline if no host_reset_handler is set 2014-03-15 10:18:59 -07:00
hpsa_cmd.h [SCSI] hpsa: Add hba mode to the hpsa driver 2014-03-15 10:19:23 -07:00
hpsa.c [SCSI] hpsa: update driver version to 3.4.4-1 2014-03-19 15:16:07 -07:00
hpsa.h [SCSI] hpsa: Add hba mode to the hpsa driver 2014-03-15 10:19:23 -07:00
hptiop.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
hptiop.h [SCSI] hptiop: Support HighPoint RR4520/RR4522 HBA 2012-11-27 08:59:43 +04:00
imm.c imm: switch to ->show_info() 2013-04-09 14:13:16 -04:00
imm.h
in2000.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
in2000.h
initio.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
initio.h
ipr.c Merge branch 'for-3.15/core' of git://git.kernel.dk/linux-block 2014-04-01 19:19:15 -07:00
ipr.h [SCSI] ipr: Add new CCIN definition for Grand Canyon support 2014-03-19 15:04:42 -07:00
ips.c [SCSI] Disable WRITE SAME for RAID and virtual host adapter drivers 2013-11-29 08:48:39 +04:00
ips.h ips: switch to ->show_info() 2013-04-09 14:13:27 -04:00
iscsi_boot_sysfs.c [SCSI] iscsi_boot_sysfs: Fix a memory leak in iscsi_boot_destroy_kset() 2014-03-15 10:19:19 -07:00
iscsi_tcp.c net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
iscsi_tcp.h net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
jazz_esp.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
Kconfig Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-01-22 21:21:55 -08:00
lasi700.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
libiscsi_tcp.c [SCSI] libiscsi: Reduce locking contention in fast path 2014-03-15 10:19:18 -07:00
libiscsi.c Main batch of InfiniBand/RDMA changes for 3.15: 2014-04-03 16:57:19 -07:00
libsrp.c scsi: Fix up files implicitly depending on module.h inclusion 2011-10-31 19:31:24 -04:00
mac53c94.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
mac53c94.h
mac_esp.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
mac_scsi.c [SCSI] mac_scsi: Fix crash on out of memory 2013-12-19 20:56:28 -08:00
mac_scsi.h NCR5830: switch to ->show_info() 2013-04-09 14:13:17 -04:00
Makefile [SCSI] aci7xxx_old: delete decade+ obsolete driver 2013-12-19 07:39:02 -08:00
megaraid.c [SCSI] megaraid: simplify internal command handling 2014-03-27 08:26:31 -07:00
megaraid.h [SCSI] megaraid: simplify internal command handling 2014-03-27 08:26:31 -07:00
mesh.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
mesh.h
mvme16x_scsi.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
mvme147.c switch wd33c93 to ->show_info() 2013-04-09 14:13:15 -04:00
mvme147.h
mvumi.c SCSI: remove unnecessary pci_set_drvdata() 2013-10-14 15:26:04 +02:00
mvumi.h [SCSI] mvumi: Use PCI_VENDOR_ID_MARVELL_EXT for 0x1b4b 2013-04-15 14:30:44 -06:00
ncr53c8xx.c treewide: Fix common typo in "identify" 2013-10-14 15:31:06 +02:00
ncr53c8xx.h
NCR53c406a.c
NCR5380.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
NCR5380.h NCR5830: switch to ->show_info() 2013-04-09 14:13:17 -04:00
NCR_D700.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
NCR_D700.h
NCR_Q720.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
NCR_Q720.h
nsp32_debug.c
nsp32_io.h
nsp32.c [SCSI] nsp32: use mdelay instead of large udelay constants 2013-06-19 17:53:35 +02:00
nsp32.h
osst_detect.h
osst_options.h
osst.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
osst.h
pas16.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
pas16.h NCR5830: switch to ->show_info() 2013-04-09 14:13:17 -04:00
pmcraid.c SCSI fixes on 20131206 2013-12-06 08:30:18 -08:00
pmcraid.h scsi: Fix typo in pmcraid.h 2012-02-21 11:40:37 +01:00
ppa.c ppa: switch to ->show_info() 2013-04-09 14:13:17 -04:00
ppa.h
ps3rom.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
qla1280.c x86, platforms: Remove SGI Visual Workstation 2014-02-27 08:07:39 -08:00
qla1280.h
qlogicfas408.c
qlogicfas408.h
qlogicfas.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
qlogicpti.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
qlogicpti.h
raid_class.c
script_asm.pl
scsi_debug.c [SCSI] scsi_debug: add ability to enable clustering 2014-03-19 15:04:37 -07:00
scsi_devinfo.c [SCSI] Workaround for disks that report bad optimal transfer length 2013-06-24 13:00:10 -07:00
scsi_error.c [SCSI] do not manipulate device reference counts in scsi_get/put_command 2014-03-15 10:19:24 -07:00
scsi_ioctl.c
scsi_lib_dma.c scsi: Add export.h for EXPORT_SYMBOL/THIS_MODULE as required 2011-10-31 19:31:23 -04:00
scsi_lib.c [SCSI] remove a useless get/put_device pair in scsi_requeue_command 2014-03-15 10:19:25 -07:00
scsi_logging.h
scsi_module.c
scsi_netlink.c scsi: replace obsolete NLMSG_* with type safe nlmsg_* 2013-03-28 14:27:24 -04:00
scsi_pm.c [SCSI] sr: use block layer runtime PM 2013-12-16 10:57:51 -08:00
scsi_priv.h [SCSI] improved eh timeout handler 2013-12-19 07:39:02 -08:00
scsi_proc.c fix buffer leak after "scsi: saner replacements for ->proc_info()" 2013-05-31 15:16:51 -04:00
scsi_sas_internal.h
scsi_scan.c [SCSI] Add EVPD page 0x83 and 0x80 to sysfs 2014-03-27 08:25:33 -07:00
scsi_sysctl.c
scsi_sysfs.c SCSI misc on 20140401 2014-04-01 18:49:04 -07:00
scsi_tgt_if.c scsi: Add export.h for EXPORT_SYMBOL/THIS_MODULE as required 2011-10-31 19:31:23 -04:00
scsi_tgt_lib.c [SCSI] do not manipulate device reference counts in scsi_get/put_command 2014-03-15 10:19:24 -07:00
scsi_tgt_priv.h
scsi_trace.c
scsi_transport_api.h
scsi_transport_fc_internal.h
scsi_transport_fc.c [SCSI] scsi_transport_fc: Add 32Gbps speed definition. 2014-03-15 10:17:50 -07:00
scsi_transport_iscsi.c Merge branch 'master' into for-next 2014-02-20 14:54:28 +01:00
scsi_transport_sas.c [SCSI] scsi_transport_sas: add 12GB definitions for mpt3sas 2012-12-01 10:08:41 +00:00
scsi_transport_spi.c [SCSI] scsi_transport_spi: fix for unbalanced reference counting 2012-05-10 09:06:12 +01:00
scsi_transport_srp_internal.h
scsi_transport_srp.c scsi_transport_srp: Fix two kernel-doc warnings 2014-03-24 10:05:30 -07:00
scsi_typedefs.h
scsi.c [SCSI] add support for per-host cmd pools 2014-03-27 08:26:33 -07:00
scsi.h
scsicam.c fs: move code out of buffer.c 2012-01-03 22:54:07 -05:00
sd_dif.c bio-integrity: Convert to bvec_iter 2013-11-23 22:33:50 -08:00
sd.c [SCSI] sd: Quiesce mode sense error messages 2014-03-27 08:26:33 -07:00
sd.h [SCSI] sd: Quiesce mode sense error messages 2014-03-27 08:26:33 -07:00
ses.c [SCSI] ses: Use vpd information from scsi_device 2014-03-27 08:26:31 -07:00
sg.c [SCSI] Revert "sg: use rwsem to solve race during exclusive open" 2013-10-25 10:59:54 +01:00
sgiwd93.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
sim710.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
sni_53c710.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
sr_ioctl.c scsi: Fix up files implicitly depending on module.h inclusion 2011-10-31 19:31:24 -04:00
sr_vendor.c
sr.c [SCSI] sr: use block layer runtime PM 2013-12-16 10:57:51 -08:00
sr.h
st_options.h
st.c [SCSI] st: fix corruption of the st_modedef structures in st_set_options() 2014-03-15 10:19:22 -07:00
st.h [SCSI] st: raise device limit 2012-09-14 17:59:29 +01:00
stex.c SCSI: remove unnecessary pci_set_drvdata() 2013-10-14 15:26:04 +02:00
storvsc_drv.c [SCSI] storvsc: NULL pointer dereference fix 2014-03-12 13:16:54 +04:00
sun3_NCR5380.c sun3_scsi: add ->show_info() 2013-05-04 14:50:16 -04:00
sun3_scsi_vme.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
sun3_scsi.c sun3_scsi: add ->show_info() 2013-05-04 14:50:16 -04:00
sun3_scsi.h sun3_scsi: add ->show_info() 2013-05-04 14:50:16 -04:00
sun3x_esp.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
sun_esp.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
sym53c416.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
sym53c416.h
t128.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
t128.h NCR5830: switch to ->show_info() 2013-04-09 14:13:17 -04:00
tmscsim.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-11-15 16:47:22 -08:00
tmscsim.h [SCSI] tmscsim: Move 'last_reset' into host structure 2013-10-25 11:51:37 +01:00
u14-34f.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
ultrastor.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
ultrastor.h
virtio_scsi.c virtio-scsi: Fix hotcpu_notifier use-after-free with virtscsi_freeze 2014-01-16 10:22:27 +10:30
vmw_pvscsi.c [SCSI] vmw_pvscsi: Some improvements in pvscsi driver. 2014-03-19 15:04:46 -07:00
vmw_pvscsi.h [SCSI] vmw_pvscsi: Some improvements in pvscsi driver. 2014-03-19 15:04:46 -07:00
wd33c93.c switch wd33c93 to ->show_info() 2013-04-09 14:13:15 -04:00
wd33c93.h switch wd33c93 to ->show_info() 2013-04-09 14:13:15 -04:00
wd7000.c [SCSI] remove deprecated IRQF_DISABLED from SCSI 2014-03-19 15:04:44 -07:00
zalon.c Drivers: scsi: remove __dev* attributes. 2013-01-03 15:57:01 -08:00
zorro7xx.c zorro: ZTWO_VADDR() should return "void __iomem *" 2013-11-26 11:09:07 +01:00