superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Kery Qi f0813bcd2d net: wwan: t7xx: fix potential skb->frags overflow in RX path 
When receiving data in the DPMAIF RX path,
the t7xx_dpmaif_set_frag_to_skb() function adds
page fragments to an skb without checking if the number of
fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
potentially causing kernel crashes or other undefined behavior.

This issue was identified through static code analysis by comparing with a
similar vulnerability fixed in the mt76 driver commit b102f0c522 ("mt76:
fix array overflow on receiving too many fragments for a packet").

The vulnerability could be triggered if the modem firmware sends packets
with excessive fragments. While under normal protocol conditions (MTU 3080
bytes, BAT buffer 3584 bytes),
a single packet should not require additional
fragments, the kernel should not blindly trust firmware behavior.
Malicious, buggy, or compromised firmware could potentially craft packets
with more fragments than the kernel expects.

Fix this by adding a bounds check before calling skb_add_rx_frag() to
ensure nr_frags does not exceed MAX_SKB_FRAGS.

The check must be performed before unmapping to avoid a page leak
and double DMA unmap during device teardown.

Fixes: d642b012df ("net: wwan: t7xx: Add data path interface")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-01-25 14:43:32 -08:00
..
accel accel/amdxdna: Block running under a hypervisor 2025-12-15 13:00:03 -06:00
accessibility
acpi ACPI: PM: s2idle: Add module parameter for LPS0 constraints checking 2026-01-13 23:10:25 +01:00
amba soc: driver updates for 6.19 2025-12-05 17:29:04 -08:00
android rust_binder: remove spin_lock() in rust_shrink_free_page() 2025-12-29 11:34:16 +01:00
ata ata: libata: Print features also for ATAPI devices 2026-01-13 22:00:02 +09:00
atm atm: Fix dma_free_coherent() size 2026-01-08 08:47:32 -08:00
auxdisplay
base PM: runtime: Do not clear needs_force_resume with enabled runtime PM 2025-12-16 12:58:57 +01:00
bcma
block block-6.19-20260116 2026-01-16 20:59:46 -08:00
bluetooth Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work 2026-01-22 13:22:22 -05:00
bus Char/Misc/IIO driver updates for 6.19-rc1 2025-12-06 18:34:24 -08:00
cache cache: Support cache maintenance for HiSilicon SoC Hydra Home Agent 2025-11-21 18:42:02 +00:00
cdrom
cdx
char Char/Misc/IIO driver updates for 6.19-rc1 2025-12-06 18:34:24 -08:00
clk This pull request is entirely SoC clk drivers, not for lack of trying to modify 2025-12-08 09:38:52 +09:00
clocksource soc: driver updates for 6.19 2025-12-05 17:29:04 -08:00
comedi Char/Misc/IIO driver updates for 6.19-rc1 2025-12-06 18:34:24 -08:00
connector
counter counter: 104-quad-8: Fix incorrect return value in IRQ handler 2025-12-22 20:03:23 +09:00
cpufreq cpufreq: dt-platdev: Fix creating device on OPPv1 platforms 2025-12-16 07:59:30 -06:00
cpuidle soc: driver updates for 6.19 2025-12-05 17:29:04 -08:00
crypto crypto: qat - fix duplicate restarting msg during AER error 2025-12-29 08:44:14 +08:00
cxl cxl: Check for invalid addresses returned from translation functions on errors 2026-01-13 08:30:40 -07:00
dax drivers/dax: add some missing kerneldoc comment fields for struct dev_dax 2026-01-14 22:16:26 -08:00
dca
devfreq PM / devfreq: Fix typo in DFSO_DOWNDIFFERENTIAL macro name 2025-11-26 13:58:59 +09:00
dibs dibs: Remove KMSG_COMPONENT macro 2025-11-27 18:11:43 -08:00
dio
dma dmaengine: apple-admac: Add "apple,t8103-admac" compatible 2026-01-11 22:12:49 +05:30
dma-buf VFIO updates for v6.19-rc1 2025-12-04 18:42:48 -08:00
dpll dpll: Prevent duplicate registrations 2026-01-22 08:08:42 -08:00
edac EDAC/x38: Fix a resource leak in x38_probe1() 2026-01-04 08:35:39 +01:00
eisa
extcon
firewire firewire: nosy: Fix dma_free_coherent() size 2025-12-26 22:04:03 +09:00
firmware mm: rename cpu_bitmap field to flexible_array 2026-01-19 12:30:00 -08:00
fpga
fsi
fwctl
gnss gnss: ubx: add support for the safeboot gpio 2025-11-20 16:44:04 +01:00
gpib staging: gpib: Clean-up commented-out code 2025-11-26 14:28:19 +01:00
gpio gpiolib: remove redundant callback check 2026-01-12 09:35:04 +01:00
gpu drm-misc-fixes for v6.19-rc6: 2026-01-16 20:27:21 +01:00
greybus greybus: gb-beagleplay: Fix timeout handling in bootloader functions 2025-11-26 14:40:59 +01:00
hid hid-for-linus-2026010801 2026-01-08 07:44:48 -08:00
hsi
hte
hv mshv: handle gpa intercepts for arm64 2026-01-15 07:29:14 +00:00
hwmon hwmon: (ltc4282): Fix reset_history file permissions 2025-12-19 08:44:22 -08:00
hwspinlock
hwtracing Char/Misc/IIO driver updates for 6.19-rc1 2025-12-06 18:34:24 -08:00
i2c i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume progress 2026-01-14 12:58:26 +01:00
i3c i3c: adi: Fix confusing cleanup.h syntax 2025-12-12 23:59:39 +01:00
idle
iio Char/Misc/IIO driver updates for 6.19-rc1 2025-12-06 18:34:24 -08:00
infiniband RDMA/bnxt_re: fix dma_free_coherent() pointer 2025-12-30 06:45:51 -05:00
input Input updates for v6.19-rc1 2025-12-21 15:21:10 -08:00
interconnect
iommu iommu/sva: include mmu_notifier.h header 2026-01-14 22:16:25 -08:00
ipack
irqchip irqchip/riscv-imsic: Revert "Remove redundant irq_data lookups" 2026-01-13 09:51:46 +01:00
isdn mISDN: annotate data-race around dev->work 2026-01-20 18:37:41 -08:00
leds leds: led-class: Only Add LED to leds_list when it is fully ready 2026-01-20 16:02:01 +00:00
macintosh soc: driver updates for 6.19 2025-12-05 17:29:04 -08:00
mailbox mailbox: th1520: fix clock imbalance on probe failure 2025-11-28 09:47:44 -06:00
mcb
md block-6.19-20260102 2026-01-02 12:15:59 -08:00
media [GIT PULL for v6.19-rc6] media fixes 2026-01-14 08:18:01 -08:00
memory soc: driver updates for 6.19 2025-12-05 17:29:04 -08:00
memstick
message
mfd MFD for v6.19 2025-12-04 15:18:33 -08:00
misc Char/Misc driver fixes for 6.19-rc5 2026-01-11 07:27:44 -10:00
mmc mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig 2025-12-17 14:14:51 +01:00
most
mtd treewide: Update email address 2026-01-11 06:09:11 -10:00
mux mux: mmio: Add suspend and resume support 2025-11-26 15:09:30 +01:00
net net: wwan: t7xx: fix potential skb->frags overflow in RX path 2026-01-25 14:43:32 -08:00
nfc Revert "nfc/nci: Add the inconsistency check between the input data length and count" 2026-01-17 18:02:50 -08:00
ntb
nubus
nvdimm NVDIMM changes for 6.19 2025-12-06 09:32:25 -08:00
nvme block-6.19-20260116 2026-01-16 20:59:46 -08:00
nvmem Char/Misc/IIO driver updates for 6.19-rc1 2025-12-06 18:34:24 -08:00
of of: fix reference count leak in of_alias_scan() 2026-01-17 10:20:43 -06:00
opp
parisc parisc: Set valid bit in high byte of 64‑bit physical address 2025-12-19 13:56:17 +01:00
parport
pci cxl fixes for v6.19-rc6 2026-01-16 13:09:28 -08:00
pcmcia
peci Char/Misc/IIO driver updates for 6.19-rc1 2025-12-06 18:34:24 -08:00
perf arm64 updates for 6.19: 2025-12-02 17:03:55 -08:00
phy phy: freescale: imx8m-pcie: assert phy reset during power on 2026-01-14 21:44:39 +05:30
pinctrl pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping 2026-01-01 15:40:56 +01:00
platform platform/x86: asus-armoury: add support for G835LW 2025-12-30 12:51:46 +02:00
pmdomain Qualcomm Arm64 DeviceTree fixes for v6.19 2026-01-21 09:52:19 +01:00
pnp
power soc: driver updates for 6.19 2025-12-05 17:29:04 -08:00
powercap powercap: intel_rapl: Fix possible recursive lock warning 2025-12-17 17:24:28 +01:00
pps printk changes for 6.19 2025-12-03 12:42:36 -08:00
ps3
ptp Networking changes for 6.19. 2025-12-03 17:24:33 -08:00
pwm pwm: max7360: Populate missing .sizeof_wfhw in max7360_pwm_ops 2026-01-19 18:31:05 +01:00
rapidio
ras EFI updates for v6.19: 2025-12-04 17:10:08 -08:00
regulator regulator: fp9931: fix regulator node pointer 2025-12-24 11:31:29 +00:00
remoteproc remoteproc: qcom_q6v5_wcss: use optional reset for wcss_q6_bcr_reset 2025-11-29 15:20:23 -06:00
resctrl arm_mpam: Use non-atomic bitops when modifying feature bitmap 2026-01-16 12:04:20 +00:00
reset This pull request is entirely SoC clk drivers, not for lack of trying to modify 2025-12-08 09:38:52 +09:00
rpmsg rpmsg: glink: remove duplicate code for rpmsg device remove 2025-11-26 10:16:10 -06:00
rtc RTC for 6.19 2025-12-13 17:09:06 +12:00
s390 s390: Unmap early KASAN shadow on memory offlining 2025-12-07 16:15:19 +01:00
sbus
scsi scsi: bfa: Update outdated comment 2026-01-04 15:28:08 -05:00
sh
siox
slimbus Networking changes for 6.19. 2025-12-03 17:24:33 -08:00
soc bitmap updates for v6.19 2025-12-06 09:01:27 -08:00
soundwire soundwire fix for 6.19 2026-01-18 12:29:12 -08:00
spi spi: cadence-quadspi: Prevent indirect read 2025-12-23 15:18:22 +00:00
spmi
ssb
staging Staging driver updates for 6.19-rc1 2025-12-06 18:52:00 -08:00
target SCSI misc on 20251214 2025-12-14 15:35:35 +12:00
tc
tee QCOMTEE fixes2 for v6.18 2025-11-21 21:27:20 +01:00
thermal thermal: core: Fix typo and indentation in comments 2025-12-15 12:47:39 +01:00
thunderbolt USB/Thunderbolt changes for 6.19-rc1 2025-12-06 18:42:12 -08:00
tty serial: xilinx_uartps: fix rs485 delay_rts_after_send 2025-12-23 11:55:16 +01:00
ufs scsi: ufs: host: mediatek: Make read-only array scale_us static const 2026-01-04 15:48:50 -05:00
uio treewide: Update email address 2026-01-11 06:09:11 -10:00
usb xhci: sideband: don't dereference freed ring when removing sideband endpoint 2026-01-16 12:19:37 +01:00
vdpa Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
vfio vfio/xe: Fix use-after-free in xe_vfio_pci_alloc_file() 2025-12-28 12:42:46 -07:00
vhost vhost/vsock: improve RCU read sections around vhost_vsock_get() 2025-12-24 08:02:57 -05:00
video fbdev fixes & enhancements for 6.19-rc1: 2025-12-06 15:41:26 -08:00
virt virt: Fix Kconfig warning when selecting TSM without VIRT_DRIVERS 2025-12-04 17:34:16 -08:00
virtio virtio: clean up features qword/dword terms 2025-11-27 02:03:07 -05:00
w1
watchdog linux-watchdog 6.19-rc1 tag 2025-12-06 10:00:49 -08:00
xen ACPI: PCI: IRQ: Fix INTx GSIs signedness 2026-01-05 19:06:40 +01:00
zorro
Kconfig Staging driver updates for 6.19-rc1 2025-12-06 18:52:00 -08:00
Makefile Staging driver updates for 6.19-rc1 2025-12-06 18:52:00 -08:00