1. 14 Oct, 2014 21 commits
    • Tilman Schmidt's avatar
      isdn/gigaset: fix non-heap pointer deallocation · b8324f94
      Tilman Schmidt authored
      at_state structures may be allocated individually or as part of a
      cardstate or bc_state structure. The disconnect() function handled
      both cases, creating a risk that it might try to deallocate an
      at_state structure that had not been allocated individually.
      Fix by splitting disconnect() into two variants handling cases
      with and without an associated B channel separately, and adding
      an explicit check.
      
      Spotted with Coverity.
      Signed-off-by: default avatarTilman Schmidt <tilman@imap.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b8324f94
    • Tilman Schmidt's avatar
      isdn/gigaset: fix NULL pointer dereference · 846ac301
      Tilman Schmidt authored
      In do_action, a NULL pointer might be passed to function start_dial
      which will dereference it.
      Fix by adding a check for NULL before the call.
      
      Spotted with Coverity.
      Signed-off-by: default avatarTilman Schmidt <tilman@imap.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      846ac301
    • Tilman Schmidt's avatar
      isdn/gigaset: limit raw CAPI message dump length · 097933dd
      Tilman Schmidt authored
      In dump_rawmsg, the length field from a received data package was
      used unscrutinized, allowing an attacker to control the size of the
      allocated buffer and the number of times the output loop iterates.
      Fix by limiting to a reasonable value.
      
      Spotted with Coverity.
      Signed-off-by: default avatarTilman Schmidt <tilman@imap.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      097933dd
    • Tilman Schmidt's avatar
      isdn/gigaset: make sure controller name is null terminated · ee7ff5fe
      Tilman Schmidt authored
      In gigaset_isdn_regdev, the name field may not have a null terminator
      if the source string's length is equal to the buffer size.
      Fix by zero filling the structure and excluding the last byte of the
      name field from the copy.
      
      Spotted with Coverity.
      Signed-off-by: default avatarTilman Schmidt <tilman@imap.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee7ff5fe
    • Tilman Schmidt's avatar
      isdn/gigaset: missing break in do_facility_req · 1bdc07eb
      Tilman Schmidt authored
      If we take the unsupported supplementary service notification mask
      path, we end up falling through and overwriting the error code.
      Insert a break statement to skip the remainder of the switch case
      and proceed to sending the reply message.
      
      Spotted with Coverity.
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarTilman Schmidt <tilman@imap.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1bdc07eb
    • David S. Miller's avatar
      Merge branch 'fec-ptp' · f787d6c8
      David S. Miller authored
      Luwei Zhou says:
      
      ====================
      Enable FEC pps feather
      
      Change from v2 to v3:
      	-Using the default channel 0 to be PPS channel not PTP_PIN_SET/GETFUNC interface.
      	-Using the linux definition of NSEC_PER_SEC.
      
      Change from v1 to v2:
      	- Fix the potential 32-bit multiplication overflow issue.
      	- Optimize the hareware adjustment code to improve efficiency as Richard suggested
      	- Use ptp PTP_PIN_SET/GETFUNC interface to set PPS channel not device tree
      	and add PTP_PF_PPS enumeration
      	- Modify comments style
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f787d6c8
    • Luwei Zhou's avatar
      net: fec: ptp: Enable PPS output based on ptp clock · 278d2404
      Luwei Zhou authored
      FEC ptp timer has 4 channel compare/trigger function. It can be used to
      enable pps output.
      The pulse would be ouput high exactly on N second. The pulse ouput high
      on compare event mode is used to produce pulse per second.  The pulse
      width would be one cycle based on ptp timer clock source.Since 31-bit
      ptp hardware timer is used, the timer will wrap more than 2 seconds. We
      need to reload the compare compare event about every 1 second.
      Signed-off-by: default avatarLuwei Zhou <b45643@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      278d2404
    • Luwei Zhou's avatar
      net: fec: ptp: Use hardware algorithm to adjust PTP counter. · 89bddcda
      Luwei Zhou authored
      The FEC IP supports hardware adjustment for ptp timer. Refer to the description of
      ENET_ATCOR and ENET_ATINC registers in the spec about the hardware adjustment. This
      patch uses hardware support to adjust the ptp offset and frequency on the slave side.
      Signed-off-by: default avatarLuwei Zhou <b45643@freescale.com>
      Signed-off-by: default avatarFrank Li <Frank.Li@freescale.com>
      Signed-off-by: default avatarFugang Duan <b38611@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89bddcda
    • Luwei Zhou's avatar
      net: fec: ptp: Use the 31-bit ptp timer. · f28460b2
      Luwei Zhou authored
      When ptp switches from software adjustment to hardware ajustment, linux ptp can't converge.
      It is caused by the IP limit. Hardware adjustment logcial have issue when ptp counter
      runs over 0x80000000(31 bit counter). The internal IP reference manual already remove 32bit
      free-running count support. This patch replace the 32-bit PTP timer with 31-bit.
      Signed-off-by: default avatarLuwei Zhou <b45643@freescale.com>
      Signed-off-by: default avatarFrank Li <Frank.Li@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f28460b2
    • Li RongQing's avatar
      ipv6: remove aca_lock spinlock from struct ifacaddr6 · 02ea8074
      Li RongQing authored
      no user uses this lock.
      Signed-off-by: default avatarLi RongQing <roy.qing.li@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02ea8074
    • Alexei Starovoitov's avatar
      x86: bpf_jit: fix two bugs in eBPF JIT compiler · e0ee9c12
      Alexei Starovoitov authored
      1.
      JIT compiler using multi-pass approach to converge to final image size,
      since x86 instructions are variable length. It starts with large
      gaps between instructions (so some jumps may use imm32 instead of imm8)
      and iterates until total program size is the same as in previous pass.
      This algorithm works only if program size is strictly decreasing.
      Programs that use LD_ABS insn need additional code in prologue, but it
      was not emitted during 1st pass, so there was a chance that 2nd pass would
      adjust imm32->imm8 jump offsets to the same number of bytes as increase in
      prologue, which may cause algorithm to erroneously decide that size converged.
      Fix it by always emitting largest prologue in the first pass which
      is detected by oldproglen==0 check.
      Also change error check condition 'proglen != oldproglen' to fail gracefully.
      
      2.
      while staring at the code realized that 64-byte buffer may not be enough
      when 1st insn is large, so increase it to 128 to avoid buffer overflow
      (theoretical maximum size of prologue+div is 109) and add runtime check.
      
      Fixes: 62258278 ("net: filter: x86: internal BPF JIT")
      Reported-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Tested-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0ee9c12
    • Eric Dumazet's avatar
      tcp: fix ooo_okay setting vs Small Queues · b2532eb9
      Eric Dumazet authored
      TCP Small Queues (tcp_tsq_handler()) can hold one reference on
      sk->sk_wmem_alloc, preventing skb->ooo_okay being set.
      
      We should relax test done to set skb->ooo_okay to take care
      of this extra reference.
      
      Minimal truesize of skb containing one byte of payload is
      SKB_TRUESIZE(1)
      
      Without this fix, we have more chance locking flows into the wrong
      transmit queue.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b2532eb9
    • Alexander Aring's avatar
      skbuff: fix ftrace handling in skb_unshare · 31eff81e
      Alexander Aring authored
      If the skb is not dropped afterwards we should run consume_skb instead
      kfree_skb. Inside of function skb_unshare we do always a kfree_skb,
      doesn't depend if skb_copy failed or was successful.
      
      This patch switch this behaviour like skb_share_check, if allocation of
      sk_buff failed we use kfree_skb otherwise consume_skb.
      Signed-off-by: default avatarAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31eff81e
    • Alexander Duyck's avatar
      fm10k: Add skb->xmit_more support · 2c2b2f0c
      Alexander Duyck authored
      This change adds support for skb->xmit_more based on the changes that were
      made to igb to support the feature.  The main changes are moving up the
      check for maybe_stop_tx so that we can check netif_xmit_stopped to determine
      if we must write the tail because we can add no further buffers.
      Acked-by: default avatarMatthew Vick <matthew.vick@intel.com>
      Signed-off-by: default avatarAlexander Duyck <alexander.h.duyck@redhat.com>
      Acked-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c2b2f0c
    • Nimrod Andy's avatar
      net: fec: Fix sparse warnings with different lock contexts for basic block · 5bc26726
      Nimrod Andy authored
      reproduce:
      make  ARCH=arm C=1 2>fec.txt drivers/net/ethernet/freescale/fec_main.o
      cat fec.txt
      
      sparse warnings:
      drivers/net/ethernet/freescale/fec_main.c:2916:12: warning: context imbalance
      in 'fec_set_features' - different lock contexts for basic block
      
      Christopher Li suggest to change as below:
      	if (need_lock) {
      		lock();
      		do_something_real();
      		unlock();
      	} else {
      		do_something_real();
      	}
      Reported-by: default avatarFabio Estevam <festevam@gmail.com>
      Suggested-by: default avatarChristopher Li <sparse@chrisli.org>
      Signed-off-by: default avatarFugang Duan <B38611@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5bc26726
    • Vince Bridgers's avatar
    • David S. Miller's avatar
      Merge branch 'sctp' · b27fa993
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      Here are some SCTP fixes.
      
      [ Note, immediate workaround would be to disable ASCONF (it
        is sysctl disabled by default). It is actually only used
        together with chunk authentication. ]
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b27fa993
    • Daniel Borkmann's avatar
      net: sctp: fix remote memory pressure from excessive queueing · 26b87c78
      Daniel Borkmann authored
      This scenario is not limited to ASCONF, just taken as one
      example triggering the issue. When receiving ASCONF probes
      in the form of ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
        [...]
        ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
      
      ... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
      ASCONFs and have increasing serial numbers, we process such
      ASCONF chunk(s) marked with !end_of_packet and !singleton,
      since we have not yet reached the SCTP packet end. SCTP does
      only do verification on a chunk by chunk basis, as an SCTP
      packet is nothing more than just a container of a stream of
      chunks which it eats up one by one.
      
      We could run into the case that we receive a packet with a
      malformed tail, above marked as trailing JUNK. All previous
      chunks are here goodformed, so the stack will eat up all
      previous chunks up to this point. In case JUNK does not fit
      into a chunk header and there are no more other chunks in
      the input queue, or in case JUNK contains a garbage chunk
      header, but the encoded chunk length would exceed the skb
      tail, or we came here from an entirely different scenario
      and the chunk has pdiscard=1 mark (without having had a flush
      point), it will happen, that we will excessively queue up
      the association's output queue (a correct final chunk may
      then turn it into a response flood when flushing the
      queue ;)): I ran a simple script with incremental ASCONF
      serial numbers and could see the server side consuming
      excessive amount of RAM [before/after: up to 2GB and more].
      
      The issue at heart is that the chunk train basically ends
      with !end_of_packet and !singleton markers and since commit
      2e3216cd ("sctp: Follow security requirement of responding
      with 1 packet") therefore preventing an output queue flush
      point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
      chunk (chunk = event_arg) even though local_cork is set,
      but its precedence has changed since then. In the normal
      case, the last chunk with end_of_packet=1 would trigger the
      queue flush to accommodate possible outgoing bundling.
      
      In the input queue, sctp_inq_pop() seems to do the right thing
      in terms of discarding invalid chunks. So, above JUNK will
      not enter the state machine and instead be released and exit
      the sctp_assoc_bh_rcv() chunk processing loop. It's simply
      the flush point being missing at loop exit. Adding a try-flush
      approach on the output queue might not work as the underlying
      infrastructure might be long gone at this point due to the
      side-effect interpreter run.
      
      One possibility, albeit a bit of a kludge, would be to defer
      invalid chunk freeing into the state machine in order to
      possibly trigger packet discards and thus indirectly a queue
      flush on error. It would surely be better to discard chunks
      as in the current, perhaps better controlled environment, but
      going back and forth, it's simply architecturally not possible.
      I tried various trailing JUNK attack cases and it seems to
      look good now.
      
      Joint work with Vlad Yasevich.
      
      Fixes: 2e3216cd ("sctp: Follow security requirement of responding with 1 packet")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26b87c78
    • Daniel Borkmann's avatar
      net: sctp: fix panic on duplicate ASCONF chunks · b69040d8
      Daniel Borkmann authored
      When receiving a e.g. semi-good formed connection scan in the
      form of ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ---------------- ASCONF_a; ASCONF_b ----------------->
      
      ... where ASCONF_a equals ASCONF_b chunk (at least both serials
      need to be equal), we panic an SCTP server!
      
      The problem is that good-formed ASCONF chunks that we reply with
      ASCONF_ACK chunks are cached per serial. Thus, when we receive a
      same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
      not need to process them again on the server side (that was the
      idea, also proposed in the RFC). Instead, we know it was cached
      and we just resend the cached chunk instead. So far, so good.
      
      Where things get nasty is in SCTP's side effect interpreter, that
      is, sctp_cmd_interpreter():
      
      While incoming ASCONF_a (chunk = event_arg) is being marked
      !end_of_packet and !singleton, and we have an association context,
      we do not flush the outqueue the first time after processing the
      ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
      queued up, although we set local_cork to 1. Commit 2e3216cd
      changed the precedence, so that as long as we get bundled, incoming
      chunks we try possible bundling on outgoing queue as well. Before
      this commit, we would just flush the output queue.
      
      Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
      continue to process the same ASCONF_b chunk from the packet. As
      we have cached the previous ASCONF_ACK, we find it, grab it and
      do another SCTP_CMD_REPLY command on it. So, effectively, we rip
      the chunk->list pointers and requeue the same ASCONF_ACK chunk
      another time. Since we process ASCONF_b, it's correctly marked
      with end_of_packet and we enforce an uncork, and thus flush, thus
      crashing the kernel.
      
      Fix it by testing if the ASCONF_ACK is currently pending and if
      that is the case, do not requeue it. When flushing the output
      queue we may relink the chunk for preparing an outgoing packet,
      but eventually unlink it when it's copied into the skb right
      before transmission.
      
      Joint work with Vlad Yasevich.
      
      Fixes: 2e3216cd ("sctp: Follow security requirement of responding with 1 packet")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b69040d8
    • Daniel Borkmann's avatar
      net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks · 9de7922b
      Daniel Borkmann authored
      Commit 6f4c618d ("SCTP : Add paramters validity check for
      ASCONF chunk") added basic verification of ASCONF chunks, however,
      it is still possible to remotely crash a server by sending a
      special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
      
      skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
       head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
       end:0x440 dev:<NULL>
       ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:129!
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff8144fb1c>] skb_put+0x5c/0x70
       [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
       [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
       [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
       [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
       [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
       [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
       [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
       [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
       [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
       [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
       [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
       [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
       [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
       [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
       [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
       [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
       [<ffffffff81496ac5>] ip_rcv+0x275/0x350
       [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
       [<ffffffff81460588>] netif_receive_skb+0x58/0x60
      
      This can be triggered e.g., through a simple scripted nmap
      connection scan injecting the chunk after the handshake, for
      example, ...
      
        -------------- INIT[ASCONF; ASCONF_ACK] ------------->
        <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
        ------------------ ASCONF; UNKNOWN ------------------>
      
      ... where ASCONF chunk of length 280 contains 2 parameters ...
      
        1) Add IP address parameter (param length: 16)
        2) Add/del IP address parameter (param length: 255)
      
      ... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
      Address Parameter in the ASCONF chunk is even missing, too.
      This is just an example and similarly-crafted ASCONF chunks
      could be used just as well.
      
      The ASCONF chunk passes through sctp_verify_asconf() as all
      parameters passed sanity checks, and after walking, we ended
      up successfully at the chunk end boundary, and thus may invoke
      sctp_process_asconf(). Parameter walking is done with
      WORD_ROUND() to take padding into account.
      
      In sctp_process_asconf()'s TLV processing, we may fail in
      sctp_process_asconf_param() e.g., due to removal of the IP
      address that is also the source address of the packet containing
      the ASCONF chunk, and thus we need to add all TLVs after the
      failure to our ASCONF response to remote via helper function
      sctp_add_asconf_response(), which basically invokes a
      sctp_addto_chunk() adding the error parameters to the given
      skb.
      
      When walking to the next parameter this time, we proceed
      with ...
      
        length = ntohs(asconf_param->param_hdr.length);
        asconf_param = (void *)asconf_param + length;
      
      ... instead of the WORD_ROUND()'ed length, thus resulting here
      in an off-by-one that leads to reading the follow-up garbage
      parameter length of 12336, and thus throwing an skb_over_panic
      for the reply when trying to sctp_addto_chunk() next time,
      which implicitly calls the skb_put() with that length.
      
      Fix it by using sctp_walk_params() [ which is also used in
      INIT parameter processing ] macro in the verification *and*
      in ASCONF processing: it will make sure we don't spill over,
      that we walk parameters WORD_ROUND()'ed. Moreover, we're being
      more defensive and guard against unknown parameter types and
      missized addresses.
      
      Joint work with Vlad Yasevich.
      
      Fixes: b896b82b ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9de7922b
    • Bruno Thomsen's avatar
      phy/micrel: KSZ8031RNL RMII clock reconfiguration bug · b838b4ac
      Bruno Thomsen authored
      Bug: Unable to send and receive Ethernet packets with Micrel PHY.
      
      Affected devices:
      KSZ8031RNL (commercial temp)
      KSZ8031RNLI (industrial temp)
      
      Description:
      PHY device is correctly detected during probe.
      PHY power-up default is 25MHz crystal clock input
      and output 50MHz RMII clock to MAC.
      Reconfiguration of PHY to input 50MHz RMII clock from MAC
      causes PHY to become unresponsive if clock source is changed
      after Operation Mode Strap Override (OMSO) register setup.
      
      Cause:
      Long lead times on parts where clock setup match circuit design
      forces the usage of similar parts with wrong default setup.
      
      Solution:
      Swapped KSZ8031 register setup and added phy_write return code validation.
      
      Tested with Freescale i.MX28 Fast Ethernet Controler (fec).
      Signed-off-by: default avatarBruno Thomsen <bth@kamstrup.dk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b838b4ac
  2. 10 Oct, 2014 19 commits