1. 03 Nov, 2012 9 commits
    • Jeff Layton's avatar
      cifs: fix potential buffer overrun in cifs.idmap handling code · 36960e44
      Jeff Layton authored
      The userspace cifs.idmap program generally works with the wbclient libs
      to generate binary SIDs in userspace. That program defines the struct
      that holds these values as having a max of 15 subauthorities. The kernel
      idmapping code however limits that value to 5.
      
      When the kernel copies those values around though, it doesn't sanity
      check the num_subauths value handed back from userspace or from the
      server. It's possible therefore for userspace to hand us back a bogus
      num_subauths value (or one that's valid, but greater than 5) that could
      cause the kernel to walk off the end of the cifs_sid->sub_auths array.
      
      Fix this by defining a new routine for copying sids and using that in
      all of the places that copy it. If we end up with a sid that's longer
      than expected then this approach will just lop off the "extra" subauths,
      but that's basically what the code does today already. Better approaches
      might be to fix this code to reject SIDs with >5 subauths, or fix it
      to handle the subauths array dynamically.
      
      At the same time, change the kernel to check the length of the data
      returned by userspace. If it's shorter than struct cifs_sid, reject it
      and return -EIO. If that happens we'll end up with fields that are
      basically uninitialized.
      
      Long term, it might make sense to redefine cifs_sid using a flexarray at
      the end, to allow for variable-length subauth lists, and teach the code
      to handle the case where the subauths array being passed in from
      userspace is shorter than 5 elements.
      
      Note too, that I don't consider this a security issue since you'd need
      a compromised cifs.idmap program. If you have that, you can do all sorts
      of nefarious stuff. Still, this is probably reasonable for stable.
      
      Cc: stable@kernel.org
      Reviewed-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      36960e44
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 0f89a573
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "First post-Sandy pull request"
      
       1) Fix antenna gain handling and initialization of chan->max_reg_power
          in wireless, from Felix Fietkau.
      
       2) Fix nexthop handling in H.232 conntrack helper, from Julian
          Anastasov.
      
       3) Only process 80211 mesh config header in certain kinds of frames,
          from Javier Cardona.
      
       4) 80211 management frame header length needs to be validated, from
          Johannes Berg.
      
       5) Don't access free'd SKBs in ath9k driver, from Felix Fietkay.
      
       6) Test for permanent state correctly in VXLAN driver, from Stephen
          Hemminger.
      
       7) BNX2X bug fixes from Yaniv Rosner and Dmitry Kravkov.
      
       8) Fix off by one errors in bonding, from Nikolay ALeksandrov.
      
       9) Fix divide by zero in TCP-Illinois congestion control.  From Jesper
          Dangaard Brouer.
      
      10) TCP metrics code says "Yo dawg, I heard you like sizeof, so I did a
          sizeof of a sizeof, so you can size your size" Fix from Julian
          Anastasov.
      
      11) Several drivers do mdiobus_free without first doing an
          mdiobus_unregister leading to stray pointer references.  Fix from
          Peter Senna Tschudin.
      
      12) Fix OOPS in l2tp_eth_create() error path, it's another danling
          pointer kinda situation.  Fix from Tom Parkin.
      
      13) Hardware driven by the vmxnet driver can't handle larger than 16K
          fragments, so split them up when necessary.  From Eric Dumazet.
      
      14) Handle zero length data length in tcp_send_rcvq() properly.  Fix
          from Pavel Emelyanov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits)
        tcp-repair: Handle zero-length data put in rcv queue
        vmxnet3: must split too big fragments
        l2tp: fix oops in l2tp_eth_create() error path
        cxgb4: Fix unable to get UP event from the LLD
        drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free
        drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free
        bnx2x: fix HW initialization using fw 7.8.x
        tcp: Fix double sizeof in new tcp_metrics code
        net: fix divide by zero in tcp algorithm illinois
        net: sctp: Fix typo in net/sctp
        bonding: fix second off-by-one error
        bonding: fix off-by-one error
        bnx2x: Disable FCoE for 57840 since not yet supported by FW
        bnx2x: Fix no link on 577xx 10G-baseT
        bnx2x: Fix unrecognized SFP+ module after driver is loaded
        bnx2x: Fix potential incorrect link speed provision
        bnx2x: Restore global registers back to default.
        bnx2x: Fix link down in 57712 following LFA
        bnx2x: Fix 57810 1G-KR link against certain switches.
        ixgbe: PTP get_ts_info missing software support
        ...
      0f89a573
    • Pavel Emelyanov's avatar
      tcp-repair: Handle zero-length data put in rcv queue · c454e611
      Pavel Emelyanov authored
      When sending data into a tcp socket in repair state we should check
      for the amount of data being 0 explicitly. Otherwise we'll have an skb
      with seq == end_seq in rcv queue, but tcp doesn't expect this to happen
      (in particular a warn_on in tcp_recvmsg shoots).
      Signed-off-by: default avatarPavel Emelyanov <xemul@parallels.com>
      Reported-by: default avatarGiorgos Mavrikas <gmavrikas@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c454e611
    • Eric Dumazet's avatar
      vmxnet3: must split too big fragments · a4d7e485
      Eric Dumazet authored
      vmxnet3 has a 16Kbytes limit per tx descriptor, that happened to work
      as long as we provided PAGE_SIZE fragments.
      
      Our stack can now build larger fragments, so we need to split them to
      the 16kbytes boundary.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarjongman heo <jongman.heo@samsung.com>
      Tested-by: default avatarjongman heo <jongman.heo@samsung.com>
      Cc: Shreyas Bhatewara <sbhatewara@vmware.com>
      Reviewed-by: default avatarBhavesh Davda <bhavesh@vmware.com>
      Signed-off-by: default avatarShreyas Bhatewara <sbhatewara@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a4d7e485
    • Tom Parkin's avatar
      l2tp: fix oops in l2tp_eth_create() error path · 78933636
      Tom Parkin authored
      When creating an L2TPv3 Ethernet session, if register_netdev() should fail for
      any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the
      32k-interface limit), the netdev is freed in the error path.  However, the
      l2tp_eth_sess structure's dev pointer is left uncleared, and this results in
      l2tp_eth_delete() then attempting to unregister the same netdev later in the
      session teardown.  This results in an oops.
      
      To avoid this, clear the session dev pointer in the error path.
      Signed-off-by: default avatarTom Parkin <tparkin@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      78933636
    • Vipul Pandya's avatar
      cxgb4: Fix unable to get UP event from the LLD · e3c98512
      Vipul Pandya authored
      If T4 configuration file gets loaded from the /lib/firmware/cxgb4/ directory
      then offload capabilities of the cards were getting disabled during
      initialization. Hence ULDs do not get an UP event from the LLD.
      Signed-off-by: default avatarJay Hernandez <jay@chelsio.com>
      Signed-off-by: default avatarVipul Pandya <vipul@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3c98512
    • Peter Senna Tschudin's avatar
      drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free · aa731872
      Peter Senna Tschudin authored
      Based on commit b27393ae
      
      Calling mdiobus_free without calling mdiobus_unregister causes
      BUG_ON(). This patch fixes the issue.
      
      The semantic patch that found this issue(http://coccinelle.lip6.fr/):
      // <smpl>
      @@
      expression E;
      @@
        ... when != mdiobus_unregister(E);
      
      + mdiobus_unregister(E);
        mdiobus_free(E);
      // </smpl>
      Signed-off-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa731872
    • Peter Senna Tschudin's avatar
      drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free · 57c10b61
      Peter Senna Tschudin authored
      Based on commit b27393ae
      
      Calling mdiobus_free without calling mdiobus_unregister causes
      BUG_ON(). This patch fixes the issue.
      
      The semantic patch that found this issue(http://coccinelle.lip6.fr/):
      // <smpl>
      @@
      expression E;
      @@
        ... when != mdiobus_unregister(E);
      
      + mdiobus_unregister(E);
        mdiobus_free(E);
      // </smpl>
      Signed-off-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Tested-by: default avatarRoland Stigge <stigge@antcom.de>
      Tested-by: default avatarAlexandre Pereira da Silva <aletes.xgr@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      57c10b61
    • Dmitry Kravkov's avatar
      bnx2x: fix HW initialization using fw 7.8.x · 2b674047
      Dmitry Kravkov authored
      Since commit 96bed4b9 (use FW 7.8.2) BRB HW block needs to be
      initialized using fw values for all devices.
      Otherwise ETS on 57712/578xx will not work.
      Signed-off-by: default avatarDmitry Kravkov <dmitry@broadcom.com>
      Signed-off-by: default avatarAriel Elior <ariele@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b674047
  2. 02 Nov, 2012 16 commits
  3. 01 Nov, 2012 15 commits