parent
2532c1a7a3
commit
8f427dedef
|
@ -1,46 +0,0 @@
|
|||
From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
|
||||
From: Jann Horn <jannh@google.com>
|
||||
Date: Tue, 26 Apr 2016 22:26:26 +0200
|
||||
Subject: [PATCH] bpf: fix double-fdput in replace_map_fd_with_map_ptr()
|
||||
|
||||
When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
|
||||
references a non-map file descriptor as a map file descriptor, the error
|
||||
handling code called fdput() twice instead of once (in __bpf_map_get() and
|
||||
in replace_map_fd_with_map_ptr()). If the file descriptor table of the
|
||||
current task is shared, this causes f_count to be decremented too much,
|
||||
allowing the struct file to be freed while it is still in use
|
||||
(use-after-free). This can be exploited to gain root privileges by an
|
||||
unprivileged user.
|
||||
|
||||
This bug was introduced in
|
||||
commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
|
||||
exploitable since
|
||||
commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
|
||||
previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
|
||||
|
||||
(posted publicly according to request by maintainer)
|
||||
|
||||
Signed-off-by: Jann Horn <jannh@google.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Acked-by: Alexei Starovoitov <ast@kernel.org>
|
||||
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
kernel/bpf/verifier.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
|
||||
index 618ef77c302a..db2574e7b8b0 100644
|
||||
--- a/kernel/bpf/verifier.c
|
||||
+++ b/kernel/bpf/verifier.c
|
||||
@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
|
||||
if (IS_ERR(map)) {
|
||||
verbose("fd %d is not pointing to valid bpf_map\n",
|
||||
insn->imm);
|
||||
- fdput(f);
|
||||
return PTR_ERR(map);
|
||||
}
|
||||
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,158 +0,0 @@
|
|||
From 86db8dac9286f8397434184a6b442b6419e54ec0 Mon Sep 17 00:00:00 2001
|
||||
From: Alexei Starovoitov <ast@fb.com>
|
||||
Date: Wed, 27 Apr 2016 18:56:20 -0700
|
||||
Subject: [PATCH] bpf: fix refcnt overflow
|
||||
|
||||
On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK,
|
||||
the malicious application may overflow 32-bit bpf program refcnt.
|
||||
It's also possible to overflow map refcnt on 1Tb system.
|
||||
Impose 32k hard limit which means that the same bpf program or
|
||||
map cannot be shared by more than 32k processes.
|
||||
|
||||
Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
|
||||
Reported-by: Jann Horn <jannh@google.com>
|
||||
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
|
||||
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/linux/bpf.h | 3 ++-
|
||||
kernel/bpf/inode.c | 7 ++++---
|
||||
kernel/bpf/syscall.c | 24 ++++++++++++++++++++----
|
||||
kernel/bpf/verifier.c | 11 +++++++----
|
||||
4 files changed, 33 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
|
||||
index 83d1926c61e4..67bc2da5d233 100644
|
||||
--- a/include/linux/bpf.h
|
||||
+++ b/include/linux/bpf.h
|
||||
@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl);
|
||||
void bpf_register_map_type(struct bpf_map_type_list *tl);
|
||||
|
||||
struct bpf_prog *bpf_prog_get(u32 ufd);
|
||||
+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
|
||||
void bpf_prog_put(struct bpf_prog *prog);
|
||||
void bpf_prog_put_rcu(struct bpf_prog *prog);
|
||||
|
||||
struct bpf_map *bpf_map_get_with_uref(u32 ufd);
|
||||
struct bpf_map *__bpf_map_get(struct fd f);
|
||||
-void bpf_map_inc(struct bpf_map *map, bool uref);
|
||||
+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref);
|
||||
void bpf_map_put_with_uref(struct bpf_map *map);
|
||||
void bpf_map_put(struct bpf_map *map);
|
||||
|
||||
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
|
||||
index 5a8a797d50b7..d1a7646f79c5 100644
|
||||
--- a/kernel/bpf/inode.c
|
||||
+++ b/kernel/bpf/inode.c
|
||||
@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type)
|
||||
{
|
||||
switch (type) {
|
||||
case BPF_TYPE_PROG:
|
||||
- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt);
|
||||
+ raw = bpf_prog_inc(raw);
|
||||
break;
|
||||
case BPF_TYPE_MAP:
|
||||
- bpf_map_inc(raw, true);
|
||||
+ raw = bpf_map_inc(raw, true);
|
||||
break;
|
||||
default:
|
||||
WARN_ON_ONCE(1);
|
||||
@@ -277,7 +277,8 @@ static void *bpf_obj_do_get(const struct filename *pathname,
|
||||
goto out;
|
||||
|
||||
raw = bpf_any_get(inode->i_private, *type);
|
||||
- touch_atime(&path);
|
||||
+ if (!IS_ERR(raw))
|
||||
+ touch_atime(&path);
|
||||
|
||||
path_put(&path);
|
||||
return raw;
|
||||
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
|
||||
index 3b39550d8485..4e32cc94edd9 100644
|
||||
--- a/kernel/bpf/syscall.c
|
||||
+++ b/kernel/bpf/syscall.c
|
||||
@@ -181,11 +181,18 @@ struct bpf_map *__bpf_map_get(struct fd f)
|
||||
return f.file->private_data;
|
||||
}
|
||||
|
||||
-void bpf_map_inc(struct bpf_map *map, bool uref)
|
||||
+/* prog's and map's refcnt limit */
|
||||
+#define BPF_MAX_REFCNT 32768
|
||||
+
|
||||
+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref)
|
||||
{
|
||||
- atomic_inc(&map->refcnt);
|
||||
+ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
|
||||
+ atomic_dec(&map->refcnt);
|
||||
+ return ERR_PTR(-EBUSY);
|
||||
+ }
|
||||
if (uref)
|
||||
atomic_inc(&map->usercnt);
|
||||
+ return map;
|
||||
}
|
||||
|
||||
struct bpf_map *bpf_map_get_with_uref(u32 ufd)
|
||||
@@ -197,7 +204,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd)
|
||||
if (IS_ERR(map))
|
||||
return map;
|
||||
|
||||
- bpf_map_inc(map, true);
|
||||
+ map = bpf_map_inc(map, true);
|
||||
fdput(f);
|
||||
|
||||
return map;
|
||||
@@ -580,6 +587,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f)
|
||||
return f.file->private_data;
|
||||
}
|
||||
|
||||
+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
|
||||
+{
|
||||
+ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) {
|
||||
+ atomic_dec(&prog->aux->refcnt);
|
||||
+ return ERR_PTR(-EBUSY);
|
||||
+ }
|
||||
+ return prog;
|
||||
+}
|
||||
+
|
||||
/* called by sockets/tracing/seccomp before attaching program to an event
|
||||
* pairs with bpf_prog_put()
|
||||
*/
|
||||
@@ -592,7 +608,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd)
|
||||
if (IS_ERR(prog))
|
||||
return prog;
|
||||
|
||||
- atomic_inc(&prog->aux->refcnt);
|
||||
+ prog = bpf_prog_inc(prog);
|
||||
fdput(f);
|
||||
|
||||
return prog;
|
||||
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
|
||||
index 2e7f7ab739e4..060e4c4c37ea 100644
|
||||
--- a/kernel/bpf/verifier.c
|
||||
+++ b/kernel/bpf/verifier.c
|
||||
@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
|
||||
return -E2BIG;
|
||||
}
|
||||
|
||||
- /* remember this map */
|
||||
- env->used_maps[env->used_map_cnt++] = map;
|
||||
-
|
||||
/* hold the map. If the program is rejected by verifier,
|
||||
* the map will be released by release_maps() or it
|
||||
* will be used by the valid program until it's unloaded
|
||||
* and all maps are released in free_bpf_prog_info()
|
||||
*/
|
||||
- bpf_map_inc(map, false);
|
||||
+ map = bpf_map_inc(map, false);
|
||||
+ if (IS_ERR(map)) {
|
||||
+ fdput(f);
|
||||
+ return PTR_ERR(map);
|
||||
+ }
|
||||
+ env->used_maps[env->used_map_cnt++] = map;
|
||||
+
|
||||
fdput(f);
|
||||
next_insn:
|
||||
insn++;
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
From 99d825822eade8d827a1817357cbf3f889a552d6 Mon Sep 17 00:00:00 2001
|
||||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Thu, 5 May 2016 16:25:35 -0400
|
||||
Subject: [PATCH] get_rock_ridge_filename(): handle malformed NM entries
|
||||
|
||||
Payloads of NM entries are not supposed to contain NUL. When we run
|
||||
into such, only the part prior to the first NUL goes into the
|
||||
concatenation (i.e. the directory entry name being encoded by a bunch
|
||||
of NM entries). We do stop when the amount collected so far + the
|
||||
claimed amount in the current NM entry exceed 254. So far, so good,
|
||||
but what we return as the total length is the sum of *claimed*
|
||||
sizes, not the actual amount collected. And that can grow pretty
|
||||
large - not unlimited, since you'd need to put CE entries in
|
||||
between to be able to get more than the maximum that could be
|
||||
contained in one isofs directory entry / continuation chunk and
|
||||
we are stop once we'd encountered 32 CEs, but you can get about 8Kb
|
||||
easily. And that's what will be passed to readdir callback as the
|
||||
name length. 8Kb __copy_to_user() from a buffer allocated by
|
||||
__get_free_page()
|
||||
|
||||
Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really)
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/isofs/rock.c | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
|
||||
index 5384ceb35b1c..98b3eb7d8eaf 100644
|
||||
--- a/fs/isofs/rock.c
|
||||
+++ b/fs/isofs/rock.c
|
||||
@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
|
||||
int retnamlen = 0;
|
||||
int truncate = 0;
|
||||
int ret = 0;
|
||||
+ char *p;
|
||||
+ int len;
|
||||
|
||||
if (!ISOFS_SB(inode->i_sb)->s_rock)
|
||||
return 0;
|
||||
@@ -267,12 +269,17 @@ repeat:
|
||||
rr->u.NM.flags);
|
||||
break;
|
||||
}
|
||||
- if ((strlen(retname) + rr->len - 5) >= 254) {
|
||||
+ len = rr->len - 5;
|
||||
+ if (retnamlen + len >= 254) {
|
||||
truncate = 1;
|
||||
break;
|
||||
}
|
||||
- strncat(retname, rr->u.NM.name, rr->len - 5);
|
||||
- retnamlen += rr->len - 5;
|
||||
+ p = memchr(rr->u.NM.name, '\0', len);
|
||||
+ if (unlikely(p))
|
||||
+ len = p - rr->u.NM.name;
|
||||
+ memcpy(retname + retnamlen, rr->u.NM.name, len);
|
||||
+ retnamlen += len;
|
||||
+ retname[retnamlen] = '\0';
|
||||
break;
|
||||
case SIG('R', 'E'):
|
||||
kfree(rs.buffer);
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From 9f79323a0aebccb9915ab8f4b7dcf531578b9cf9 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Abeni <pabeni@redhat.com>
|
||||
Date: Thu, 21 Apr 2016 20:23:31 -0400
|
||||
Subject: [PATCH] ipv4/fib: don't warn when primary address is missing if
|
||||
in_dev is dead
|
||||
|
||||
After commit fbd40ea0180a ("ipv4: Don't do expensive useless work
|
||||
during inetdev destroy.") when deleting an interface,
|
||||
fib_del_ifaddr() can be executed without any primary address
|
||||
present on the dead interface.
|
||||
|
||||
The above is safe, but triggers some "bug: prim == NULL" warnings.
|
||||
|
||||
This commit avoids warning if the in_dev is dead
|
||||
|
||||
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
||||
---
|
||||
net/ipv4/fib_frontend.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
|
||||
index 8a9246deccfe..63566ec54794 100644
|
||||
--- a/net/ipv4/fib_frontend.c
|
||||
+++ b/net/ipv4/fib_frontend.c
|
||||
@@ -904,7 +904,11 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
|
||||
if (ifa->ifa_flags & IFA_F_SECONDARY) {
|
||||
prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask);
|
||||
if (!prim) {
|
||||
- pr_warn("%s: bug: prim == NULL\n", __func__);
|
||||
+ /* if the device has been deleted, we don't perform
|
||||
+ * address promotion
|
||||
+ */
|
||||
+ if (!in_dev->dead)
|
||||
+ pr_warn("%s: bug: prim == NULL\n", __func__);
|
||||
return;
|
||||
}
|
||||
if (iprim && iprim != prim) {
|
||||
--
|
||||
2.5.5
|
||||
|
35
kernel.spec
35
kernel.spec
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 10
|
||||
%define stable_update 11
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -633,23 +633,12 @@ Patch695: cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
|
|||
#rhbz 1309487
|
||||
Patch701: antenna_select.patch
|
||||
|
||||
# Follow on for CVE-2016-3156
|
||||
Patch702: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
|
||||
|
||||
# Stop splashing crap about broken firmware BGRT
|
||||
Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
|
||||
|
||||
#CVE-2016-4482 rhbz 1332931 1332932
|
||||
Patch705: USB-usbfs-fix-potential-infoleak-in-devio.patch
|
||||
|
||||
#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321
|
||||
Patch706: net-fix-infoleak-in-llc.patch
|
||||
Patch707: net-fix-infoleak-in-rtnetlink.patch
|
||||
|
||||
#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311
|
||||
Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
|
||||
Patch712: bpf-fix-refcnt-overflow.patch
|
||||
|
||||
#CVE-2016-4569 rhbz 1334643 1334645
|
||||
Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
|
||||
Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||
|
@ -661,9 +650,6 @@ Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
|
|||
#CVE-2016-3713 rhbz 1332139 1336410
|
||||
Patch718: KVM-MTRR-remove-MSR-0x2f8.patch
|
||||
|
||||
#CVE-2016-4913 rhbz 1337528 1337529
|
||||
Patch719: get_rock_ridge_filename-handle-malformed-NM-entries.patch
|
||||
|
||||
#CVE-2016-4951 rhbz 1338625 1338626
|
||||
Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
|
||||
|
||||
|
@ -1364,20 +1350,9 @@ ApplyPatch cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
|
|||
#rhbz 1309487
|
||||
ApplyPatch antenna_select.patch
|
||||
|
||||
# Follow on for CVE-2016-3156
|
||||
ApplyPatch ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
|
||||
|
||||
#CVE-2016-4482 rhbz 1332931 1332932
|
||||
ApplyPatch USB-usbfs-fix-potential-infoleak-in-devio.patch
|
||||
|
||||
#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321
|
||||
ApplyPatch net-fix-infoleak-in-llc.patch
|
||||
ApplyPatch net-fix-infoleak-in-rtnetlink.patch
|
||||
|
||||
#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311
|
||||
ApplyPatch bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
|
||||
ApplyPatch bpf-fix-refcnt-overflow.patch
|
||||
|
||||
#CVE-2016-4569 rhbz 1334643 1334645
|
||||
ApplyPatch ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
|
||||
ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||
|
@ -1389,8 +1364,8 @@ ApplyPatch KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
|
|||
#CVE-2016-3713 rhbz 1332139 1336410
|
||||
ApplyPatch KVM-MTRR-remove-MSR-0x2f8.patch
|
||||
|
||||
#CVE-2016-4913 rhbz 1337528 1337529
|
||||
ApplyPatch get_rock_ridge_filename-handle-malformed-NM-entries.patch
|
||||
#CVE-2016-4951 rhbz 1338625 1338626
|
||||
ApplyPatch tipc-check-nl-sock-before-parsing-nested-attributes.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2241,6 +2216,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon May 23 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.11-200
|
||||
- Linux v4.4.11
|
||||
- Actually apply one patch
|
||||
|
||||
* Mon May 23 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-4951 null ptr deref in tipc_nl_publ_dump (rhbz 1338625 1338626)
|
||||
|
||||
|
|
|
@ -1,32 +0,0 @@
|
|||
From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001
|
||||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:35:05 -0400
|
||||
Subject: [PATCH 2/2] net: fix infoleak in llc
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The stack object “info” has a total size of 12 bytes. Its last byte
|
||||
is padding which is not initialized and leaked via “put_cmsg”.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/llc/af_llc.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
|
||||
index b3c52e3f689a..8ae3ed97d95c 100644
|
||||
--- a/net/llc/af_llc.c
|
||||
+++ b/net/llc/af_llc.c
|
||||
@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
|
||||
if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
|
||||
struct llc_pktinfo info;
|
||||
|
||||
+ memset(&info, 0, sizeof(info));
|
||||
info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
|
||||
llc_pdu_decode_dsap(skb, &info.lpi_sap);
|
||||
llc_pdu_decode_da(skb, info.lpi_mac);
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,50 +0,0 @@
|
|||
From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001
|
||||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:46:24 -0400
|
||||
Subject: [PATCH 1/2] net: fix infoleak in rtnetlink
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The stack object “map” has a total size of 32 bytes. Its last 4
|
||||
bytes are padding generated by compiler. These padding bytes are
|
||||
not initialized and sent out via “nla_put”.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/core/rtnetlink.c | 18 ++++++++++--------
|
||||
1 file changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
|
||||
index a75f7e94b445..65763c29f845 100644
|
||||
--- a/net/core/rtnetlink.c
|
||||
+++ b/net/core/rtnetlink.c
|
||||
@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
|
||||
|
||||
static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
|
||||
{
|
||||
- struct rtnl_link_ifmap map = {
|
||||
- .mem_start = dev->mem_start,
|
||||
- .mem_end = dev->mem_end,
|
||||
- .base_addr = dev->base_addr,
|
||||
- .irq = dev->irq,
|
||||
- .dma = dev->dma,
|
||||
- .port = dev->if_port,
|
||||
- };
|
||||
+ struct rtnl_link_ifmap map;
|
||||
+
|
||||
+ memset(&map, 0, sizeof(map));
|
||||
+ map.mem_start = dev->mem_start;
|
||||
+ map.mem_end = dev->mem_end;
|
||||
+ map.base_addr = dev->base_addr;
|
||||
+ map.irq = dev->irq;
|
||||
+ map.dma = dev->dma;
|
||||
+ map.port = dev->if_port;
|
||||
+
|
||||
if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
|
||||
return -EMSGSIZE;
|
||||
|
||||
--
|
||||
2.5.5
|
||||
|
Loading…
Reference in New Issue