1. 21 Sep, 2012 8 commits
  2. 20 Sep, 2012 8 commits
    • Mathias Krause's avatar
      xfrm_user: don't copy esn replay window twice for new states · e3ac104d
      Mathias Krause authored
      The ESN replay window was already fully initialized in
      xfrm_alloc_replay_state_esn(). No need to copy it again.
      
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3ac104d
    • Mathias Krause's avatar
      xfrm_user: ensure user supplied esn replay window is valid · ecd79187
      Mathias Krause authored
      The current code fails to ensure that the netlink message actually
      contains as many bytes as the header indicates. If a user creates a new
      state or updates an existing one but does not supply the bytes for the
      whole ESN replay window, the kernel copies random heap bytes into the
      replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL
      netlink attribute. This leads to following issues:
      
      1. The replay window has random bits set confusing the replay handling
         code later on.
      
      2. A malicious user could use this flaw to leak up to ~3.5kB of heap
         memory when she has access to the XFRM netlink interface (requires
         CAP_NET_ADMIN).
      
      Known users of the ESN replay window are strongSwan and Steffen's
      iproute2 patch (<http://patchwork.ozlabs.org/patch/85962/>). The latter
      uses the interface with a bitmap supplied while the former does not.
      strongSwan is therefore prone to run into issue 1.
      
      To fix both issues without breaking existing userland allow using the
      XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a
      fully specified one. For the former case we initialize the in-kernel
      bitmap with zero, for the latter we copy the user supplied bitmap. For
      state updates the full bitmap must be supplied.
      
      To prevent overflows in the bitmap length calculation the maximum size
      of bmp_len is limited to 128 by this patch -- resulting in a maximum
      replay window of 4096 packets. This should be sufficient for all real
      life scenarios (RFC 4303 recommends a default replay window size of 64).
      
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Martin Willi <martin@revosec.ch>
      Cc: Ben Hutchings <bhutchings@solarflare.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ecd79187
    • Mathias Krause's avatar
      xfrm_user: fix info leak in copy_to_user_tmpl() · 1f86840f
      Mathias Krause authored
      The memory used for the template copy is a local stack variable. As
      struct xfrm_user_tmpl contains multiple holes added by the compiler for
      alignment, not initializing the memory will lead to leaking stack bytes
      to userland. Add an explicit memset(0) to avoid the info leak.
      
      Initial version of the patch by Brad Spengler.
      
      Cc: Brad Spengler <spender@grsecurity.net>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1f86840f
    • Mathias Krause's avatar
      xfrm_user: fix info leak in copy_to_user_policy() · 7b789836
      Mathias Krause authored
      The memory reserved to dump the xfrm policy includes multiple padding
      bytes added by the compiler for alignment (padding bytes in struct
      xfrm_selector and struct xfrm_userpolicy_info). Add an explicit
      memset(0) before filling the buffer to avoid the heap info leak.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7b789836
    • Mathias Krause's avatar
      xfrm_user: fix info leak in copy_to_user_state() · f778a636
      Mathias Krause authored
      The memory reserved to dump the xfrm state includes the padding bytes of
      struct xfrm_usersa_info added by the compiler for alignment (7 for
      amd64, 3 for i386). Add an explicit memset(0) before filling the buffer
      to avoid the info leak.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f778a636
    • Mathias Krause's avatar
      xfrm_user: fix info leak in copy_to_user_auth() · 4c87308b
      Mathias Krause authored
      copy_to_user_auth() fails to initialize the remainder of alg_name and
      therefore discloses up to 54 bytes of heap memory via netlink to
      userland.
      
      Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name
      with null bytes.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4c87308b
    • Bjørn Mork's avatar
      net: qmi_wwan: adding Huawei E367, ZTE MF683 and Pantech P4200 · 9db273f4
      Bjørn Mork authored
      One of the modes of Huawei E367 has this QMI/wwan interface:
      
       I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=07 Driver=(none)
       E:  Ad=83(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
       E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
       E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      
      Huawei use subclass and protocol to identify vendor specific
      functions, so adding a new vendor rule for this combination.
      
      The Pantech devices UML290 (106c:3718) and P4200 (106c:3721) use
      the same subclass to identify the QMI/wwan function.  Replace the
      existing device specific UML290 entries with generic vendor matching,
      adding support for the Pantech P4200.
      
      The ZTE MF683 has 6 vendor specific interfaces, all using
      ff/ff/ff for cls/sub/prot.  Adding a match on interface #5 which
      is a QMI/wwan interface.
      
      Cc: Fangxiaozhi (Franko) <fangxiaozhi@huawei.com>
      Cc: Thomas Schäfer <tschaefer@t-online.de>
      Cc: Dan Williams <dcbw@redhat.com>
      Cc: Shawn J. Goff <shawn7400@gmail.com>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9db273f4
    • Andrey Vagin's avatar
      tcp: restore rcv_wscale in a repair mode (v2) · bc26ccd8
      Andrey Vagin authored
      rcv_wscale is a symetric parameter with snd_wscale.
      
      Both this parameters are set on a connection handshake.
      
      Without this value a remote window size can not be interpreted correctly,
      because a value from a packet should be shifted on rcv_wscale.
      
      And one more thing is that wscale_ok should be set too.
      
      This patch doesn't break a backward compatibility.
      If someone uses it in a old scheme, a rcv window
      will be restored with the same bug (rcv_wscale = 0).
      
      v2: Save backward compatibility on big-endian system. Before
          the first two bytes were snd_wscale and the second two bytes were
          rcv_wscale. Now snd_wscale is opt_val & 0xFFFF and rcv_wscale >> 16.
          This approach is independent on byte ordering.
      
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Cc: James Morris <jmorris@namei.org>
      Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      Cc: Patrick McHardy <kaber@trash.net>
      CC: Pavel Emelyanov <xemul@parallels.com>
      Signed-off-by: default avatarAndrew Vagin <avagin@openvz.org>
      Acked-by: default avatarPavel Emelyanov <xemul@parallels.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bc26ccd8
  3. 19 Sep, 2012 5 commits
  4. 18 Sep, 2012 14 commits
  5. 17 Sep, 2012 1 commit
    • David S. Miller's avatar
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · a1f6d8f7
      David S. Miller authored
      John W. Linville says:
      
      ====================
      This is a batch of fixes intended for the 3.6 stream.
      
      Arend van Spriel sends a simple thinko fix to correct a constant,
      preventing the setting of an invalid power level.
      
      Colin Ian King gives us a simple allocation failure check to avoid a
      NULL pointer dereference.
      
      Felix Fietkau sends another ath9k tx power patch, this time disabling a
      feature that has been reported to cause rx problems.
      
      Hante Meuleman provides a pair of endian fixes for brcmfmac.
      
      Larry Finger offers an rtlwifi fix that avoids a system lockup related
      to loading the wrong firmware for RTL8188CE devices.
      
      These have been in linux-next for a few days and I think they should be
      included in the final 3.6 kernel if possible.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1f6d8f7
  6. 15 Sep, 2012 4 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes · 3f0c3c8f
      Linus Torvalds authored
      Pull GFS2 fixes from Steven Whitehouse:
       "Here are three GFS2 fixes for the current kernel tree.  These are all
        related to the block reservation code which was added at the merge
        window.  That code will be getting an update at the forthcoming merge
        window too.  In the mean time though there are a few smaller issues
        which should be fixed.
      
        The first patch resolves an issue with write sizes of greater than 32
        bits with the size hinting code.  The second ensures that the
        allocation data structure is initialised when using xattrs and the
        third takes into account allocations which may have been made by other
        nodes which affect a reservation on the local node."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-3.0-fixes:
        GFS2: Take account of blockages when using reserved blocks
        GFS2: Fix missing allocation data for set/remove xattr
        GFS2: Make write size hinting code common
      3f0c3c8f
    • Linus Torvalds's avatar
      Merge branch 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86 · 9cb0ee85
      Linus Torvalds authored
      Pull x86 platform driver updates from Matthew Garrett:
       "A few small updates for 3.6 - a trivial regression fix and a couple of
        conformance updates for the gmux driver, plus some tiny fixes for
        asus-wmi, eeepc-laptop and thinkpad_acpi."
      
      * 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86:
        thinkpad_acpi: buffer overflow in fan_get_status()
        eeepc-laptop: fix device reference count leakage in eeepc_rfkill_hotplug()
        platform/x86: fix asus_laptop.wled_type description
        asus-laptop: HRWS/HWRS typo
        drivers-platform-x86: remove useless #ifdef CONFIG_ACPI_VIDEO
        apple-gmux: Fix port address calculation in gmux_pio_write32()
        apple-gmux: Fix index read functions
        apple-gmux: Obtain version info from indexed gmux
      9cb0ee85
    • Linus Torvalds's avatar
      Merge branch 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux · 5b799dde
      Linus Torvalds authored
      Pull i2c embedded fixes from Wolfram Sang:
       "The last bunch of (typical) i2c-embedded driver fixes for 3.6.
      
        Also update the MAINTAINERS file to point to my tree since people keep
        asking where to find their patches."
      
      * 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux:
        i2c: algo: pca: Fix mode selection for PCA9665
        MAINTAINERS: fix tree for current i2c-embedded development
        i2c: mxs: correctly setup speed for non devicetree
        i2c: pnx: Fix read transactions of >= 2 bytes
        i2c: pnx: Fix bit definitions
      5b799dde
    • Linus Torvalds's avatar
      Merge tag 'ecryptfs-3.6-rc6-fixes' of... · 1547cb80
      Linus Torvalds authored
      Merge tag 'ecryptfs-3.6-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
      
      Pull ecryptfs fixes from Tyler Hicks:
      
       - Fixes a regression, introduced in 3.6-rc1, when a file is closed
         before its shared memory mapping is dirtied and unmapped.  The lower
         file was being released when the eCryptfs file was closed and the
         dirtied pages could not be written out.
       - Adds a call to the lower filesystem's ->flush() from
         ecryptfs_flush().
       - Fixes a regression, introduced in 2.6.39, when a file is renamed on
         top of another file.  The target file's inode was not being evicted
         and the space taken by the file was not reclaimed until eCryptfs was
         unmounted.
      
      * tag 'ecryptfs-3.6-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
        eCryptfs: Copy up attributes of the lower target inode after rename
        eCryptfs: Call lower ->flush() from ecryptfs_flush()
        eCryptfs: Write out all dirty pages just before releasing the lower file
      1547cb80