1. 17 Dec, 2015 2 commits
  2. 16 Dec, 2015 8 commits
  3. 15 Dec, 2015 27 commits
  4. 14 Dec, 2015 3 commits
    • Sergei Shtylyov's avatar
      sh_eth: uninline sh_eth_{write|read}() · 2274d375
      Sergei Shtylyov authored
      Commit 3365711d ("sh_eth: WARN on access to a register not implemented in
      in  a particular chip") added WARN_ON() to sh_eth_{read|write}(), thus making
      it  unacceptable for these functions to be *inline* anymore. Remove *inline*
      and move the functions from the header to the driver itself. Below   is our
      code economy with ARM gcc 4.7.3:
      
      $ size drivers/net/ethernet/renesas/sh_eth.o{~,}
         text	   data	    bss	    dec	    hex	filename
        32489	   1140	      0	  33629	   835d	drivers/net/ethernet/renesas/sh_eth.o~
        25413	   1140	      0	  26553	   67b9	drivers/net/ethernet/renesas/sh_eth.o
      Suggested-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2274d375
    • Chen-Yu Tsai's avatar
      stmmac: dwmac-sunxi: Call exit cleanup function in probe error path · d856c16d
      Chen-Yu Tsai authored
      dwmac-sunxi has 2 callbacks that were called from stmmac_platform as
      part of the probe and remove sequences.
      
      Ater the conversion of dwmac-sunxi into a standalone platform driver,
      the .init function is called before calling into the stmmac driver
      core, but .exit is not called to clean up if stmmac returns an error.
      
      This patch fixes the probe error path. This properly cleans up and
      releases resources when the driver core fails to probe.
      
      Cc: Joachim Eastwood <manabian@gmail.com>
      Fixes: 9a9e9a1e ("stmmac: dwmac-sunxi: turn setup callback into a
      		      probe function")
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d856c16d
    • Hannes Frederic Sowa's avatar
      net: add validation for the socket syscall protocol argument · 79462ad0
      Hannes Frederic Sowa authored
      郭永刚 reported that one could simply crash the kernel as root by
      using a simple program:
      
      	int socket_fd;
      	struct sockaddr_in addr;
      	addr.sin_port = 0;
      	addr.sin_addr.s_addr = INADDR_ANY;
      	addr.sin_family = 10;
      
      	socket_fd = socket(10,3,0x40000000);
      	connect(socket_fd , &addr,16);
      
      AF_INET, AF_INET6 sockets actually only support 8-bit protocol
      identifiers. inet_sock's skc_protocol field thus is sized accordingly,
      thus larger protocol identifiers simply cut off the higher bits and
      store a zero in the protocol fields.
      
      This could lead to e.g. NULL function pointer because as a result of
      the cut off inet_num is zero and we call down to inet_autobind, which
      is NULL for raw sockets.
      
      kernel: Call Trace:
      kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
      kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
      kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
      kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
      kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
      kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
      kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
      
      I found no particular commit which introduced this problem.
      
      CVE: CVE-2015-8543
      Cc: Cong Wang <cwang@twopensource.com>
      Reported-by: default avatar郭永刚 <guoyonggang@360.cn>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79462ad0