1. 05 Oct, 2010 1 commit
  2. 04 Oct, 2010 6 commits
    • Dan Rosenberg's avatar
      sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() · 51e97a12
      Dan Rosenberg authored
      The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
      array and attempts to ensure that only a supported hmac entry is
      returned.  The current code fails to do this properly - if the last id
      in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
      id integer remains set after exiting the loop, and the address of an
      out-of-bounds entry will be returned and subsequently used in the parent
      function, causing potentially ugly memory corruption.  This patch resets
      the id integer to 0 on encountering an invalid id so that NULL will be
      returned after finishing the loop if no valid ids are found.
      Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
      Acked-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51e97a12
    • Dan Rosenberg's avatar
      sctp: prevent reading out-of-bounds memory · d7e0d19a
      Dan Rosenberg authored
      Two user-controlled allocations in SCTP are subsequently dereferenced as
      sockaddr structs, without checking if the dereferenced struct members fall
      beyond the end of the allocated chunk.  There doesn't appear to be any
      information leakage here based on how these members are used and
      additional checking, but it's still worth fixing.
      
      [akpm@linux-foundation.org: remove unfashionable newlines, fix gmail tab->space conversion]
      Signed-off-by: default avatarDan Rosenberg <dan.j.rosenberg@gmail.com>
      Acked-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7e0d19a
    • David Stevens's avatar
      ipv4: correct IGMP behavior on v3 query during v2-compatibility mode · 5b7c8406
      David Stevens authored
      A recent patch to allow IGMPv2 responses to IGMPv3 queries
      bypasses length checks for valid query lengths, incorrectly
      resets the v2_seen timer, and does not support IGMPv1.
      
      The following patch responds with a v2 report as required
      by IGMPv2 while correcting the other problems introduced
      by the patch.
      Signed-Off-By: default avatarDavid L Stevens <dlstevens@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b7c8406
    • Ben Hutchings's avatar
      netdev: Depend on INET before selecting INET_LRO · 10ccff62
      Ben Hutchings authored
      Since 'select' ignores dependencies, drivers that select INET_LRO must
      depend on INET.  This fixes the broken configuration reported in
      <http://article.gmane.org/gmane.linux.kernel/825646>.
      Reported-by: default avatarSubrata Modak <subrata@linux.vnet.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      10ccff62
    • Ben Hutchings's avatar
      Revert "ipv4: Make INET_LRO a bool instead of tristate." · c5d35571
      Ben Hutchings authored
      This reverts commit e81963b1.
      
      LRO is now deprecated in favour of GRO, and only a few drivers use it,
      so it is desirable to build it as a module in distribution kernels.
      
      The original change to prevent building it as a module was made in an
      attempt to avoid the case where some dependents are set to y and some
      to m, and INET_LRO can be set to m rather than y.  However, the
      Kconfig system will reliably set INET_LRO=y in this case.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5d35571
    • Nagendra Tomar's avatar
      net: Fix the condition passed to sk_wait_event() · 482964e5
      Nagendra Tomar authored
      This patch fixes the condition (3rd arg) passed to sk_wait_event() in
      sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
      causes the following soft lockup in tcp_sendmsg() when the global tcp
      memory pool has exhausted.
      
      >>> snip <<<
      
      localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
      localhost kernel: CPU 3:
      localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200]  [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
      localhost kernel:
      localhost kernel: Call Trace:
      localhost kernel:  [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
      localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
      localhost kernel:  [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
      localhost kernel:  [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
      localhost kernel:  [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
      localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
      localhost kernel:  [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
      localhost kernel:  [vfs_write+0x185/0x190] vfs_write+0x185/0x190
      localhost kernel:  [sys_write+0x50/0x90] sys_write+0x50/0x90
      localhost kernel:  [system_call+0x7e/0x83] system_call+0x7e/0x83
      
      >>> snip <<<
      
      What is happening is, that the sk_wait_event() condition passed from
      sk_stream_wait_memory() evaluates to true for the case of tcp global memory
      exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
      which causes sk_wait_event() to *not* call schedule_timeout().
      Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
      This causes the caller to again try allocation, which again fails and again
      calls sk_stream_wait_memory(), and so on.
      
      [ Bug introduced by commit c1cbe4b7
        ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
      Signed-off-by: default avatarNagendra Singh Tomar <tomer_iisc@yahoo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      482964e5
  3. 03 Oct, 2010 1 commit
  4. 01 Oct, 2010 1 commit
  5. 30 Sep, 2010 3 commits
  6. 29 Sep, 2010 1 commit
  7. 28 Sep, 2010 3 commits
  8. 27 Sep, 2010 15 commits
  9. 26 Sep, 2010 2 commits
    • Ondrej Zary's avatar
      de2104x: fix TP link detection · ca9a7835
      Ondrej Zary authored
      Compex FreedomLine 32 PnP-PCI2 cards have only TP and BNC connectors but the
      SROM contains AUI port too. When TP loses link, the driver switches to
      non-existing AUI port (which reports that carrier is always present).
      
      Connecting TP back generates LinkPass interrupt but de_media_interrupt() is
      broken - it only updates the link state of currently connected media, ignoring
      the fact that LinkPass and LinkFail bits of MacStatus register belong to the
      TP port only (the chip documentation says that).
      
      This patch changes de_media_interrupt() to switch media to TP when link goes
      up (and media type is not locked) and also to update the link state only when
      the TP port is used.
      
      Also the NonselPortActive (and also SelPortActive) bits of SIAStatus register
      need to be cleared (by writing 1) after reading or they're useless.
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca9a7835
    • Ondrej Zary's avatar
      de2104x: fix power management · b0255a02
      Ondrej Zary authored
      At least my 21041 cards come out of suspend with bus mastering disabled so
      they did not work after resume(no data transferred).
      After adding pci_set_master(), the driver oopsed immediately on resume -
      because de_clean_rings() is called on suspend but de_init_rings() call
      was missing in resume.
      
      Also disable link (reset SIA) before sleep (de4x5 does this too).
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b0255a02
  10. 25 Sep, 2010 2 commits
    • Ondrej Zary's avatar
      de2104x: disable autonegotiation on broken hardware · e0f9c4f3
      Ondrej Zary authored
      At least on older 21041-AA chips (mine is rev. 11), TP duplex autonegotiation
      causes the card not to work at all (link is up but no packets are transmitted).
      
      de4x5 disables autonegotiation completely. But it seems to work on newer
      (21041-PA rev. 21) so disable it only on rev<20 chips.
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0f9c4f3
    • Eric Dumazet's avatar
      net: fix a lockdep splat · f064af1e
      Eric Dumazet authored
      We have for each socket :
      
      One spinlock (sk_slock.slock)
      One rwlock (sk_callback_lock)
      
      Possible scenarios are :
      
      (A) (this is used in net/sunrpc/xprtsock.c)
      read_lock(&sk->sk_callback_lock) (without blocking BH)
      <BH>
      spin_lock(&sk->sk_slock.slock);
      ...
      read_lock(&sk->sk_callback_lock);
      ...
      
      (B)
      write_lock_bh(&sk->sk_callback_lock)
      stuff
      write_unlock_bh(&sk->sk_callback_lock)
      
      (C)
      spin_lock_bh(&sk->sk_slock)
      ...
      write_lock_bh(&sk->sk_callback_lock)
      stuff
      write_unlock_bh(&sk->sk_callback_lock)
      spin_unlock_bh(&sk->sk_slock)
      
      This (C) case conflicts with (A) :
      
      CPU1 [A]                         CPU2 [C]
      read_lock(callback_lock)
      <BH>                             spin_lock_bh(slock)
      <wait to spin_lock(slock)>
                                       <wait to write_lock_bh(callback_lock)>
      
      We have one problematic (C) use case in inet_csk_listen_stop() :
      
      local_bh_disable();
      bh_lock_sock(child); // spin_lock_bh(&sk->sk_slock)
      WARN_ON(sock_owned_by_user(child));
      ...
      sock_orphan(child); // write_lock_bh(&sk->sk_callback_lock)
      
      lockdep is not happy with this, as reported by Tetsuo Handa
      
      It seems only way to deal with this is to use read_lock_bh(callbacklock)
      everywhere.
      
      Thanks to Jarek for pointing a bug in my first attempt and suggesting
      this solution.
      Reported-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Tested-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Jarek Poplawski <jarkao2@gmail.com>
      Tested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f064af1e
  11. 24 Sep, 2010 1 commit
    • Johannes Berg's avatar
      mac80211: fix use-after-free · cd87a2d3
      Johannes Berg authored
      commit 8c0c709e
      Author: Johannes Berg <johannes@sipsolutions.net>
      Date:   Wed Nov 25 17:46:15 2009 +0100
      
          mac80211: move cmntr flag out of rx flags
      
      moved the CMTR flag into the skb's status, and
      in doing so introduced a use-after-free -- when
      the skb has been handed to cooked monitors the
      status setting will touch now invalid memory.
      
      Additionally, moving it there has effectively
      discarded the optimisation -- since the bit is
      only ever set on freed SKBs, and those were a
      copy, it could never be checked.
      
      For the current release, fixing this properly
      is a bit too involved, so let's just remove the
      problematic code and leave userspace with one
      copy of each frame for each virtual interface.
      
      Cc: stable@kernel.org [2.6.33+]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      cd87a2d3
  12. 23 Sep, 2010 4 commits