1. 29 Oct, 2009 3 commits
    • Neil Horman's avatar
      AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2) · 55888dfb
      Neil Horman authored
      Augment raw_send_hdrinc to correct for incorrect ip header length values
      
      A series of oopses was reported to me recently.  Apparently when using AF_RAW
      sockets to send data to peers that were reachable via ipsec encapsulation,
      people could panic or BUG halt their systems.
      
      I've tracked the problem down to user space sending an invalid ip header over an
      AF_RAW socket with IP_HDRINCL set to 1.
      
      Basically what happens is that userspace sends down an ip frame that includes
      only the header (no data), but sets the ip header ihl value to a large number,
      one that is larger than the total amount of data passed to the sendmsg call.  In
      raw_send_hdrincl, we allocate an skb based on the size of the data in the msghdr
      that was passed in, but assume the data is all valid.  Later during ipsec
      encapsulation, xfrm4_tranport_output moves the entire frame back in the skbuff
      to provide headroom for the ipsec headers.  During this operation, the
      skb->transport_header is repointed to a spot computed by
      skb->network_header + the ip header length (ihl).  Since so little data was
      passed in relative to the value of ihl provided by the raw socket, we point
      transport header to an unknown location, resulting in various crashes.
      
      This fix for this is pretty straightforward, simply validate the value of of
      iph->ihl when sending over a raw socket.  If (iph->ihl*4U) > user data buffer
      size, drop the frame and return -EINVAL.  I just confirmed this fixes the
      reported crashes.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55888dfb
    • David S. Miller's avatar
    • Jiri Bohac's avatar
      bonding: fix a race condition in calls to slave MII ioctls · d9d52832
      Jiri Bohac authored
      In mii monitor mode, bond_check_dev_link() calls the the ioctl
      handler of slave devices. It stores the ndo_do_ioctl function
      pointer to a static (!) ioctl variable and later uses it to call the
      handler with the IOCTL macro.
      
      If another thread executes bond_check_dev_link() at the same time
      (even with a different bond, which none of the locks prevent), a
      race condition occurs. If the two racing slaves have different
      drivers, this may result in one driver's ioctl handler being
      called with a pointer to a net_device controlled with a different
      driver, resulting in unpredictable breakage.
      
      Unless I am overlooking something, the "static" must be a
      copy'n'paste error (?).
      Signed-off-by: default avatarJiri Bohac <jbohac@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d9d52832
  2. 28 Oct, 2009 3 commits
  3. 27 Oct, 2009 12 commits
    • Bartlomiej Zolnierkiewicz's avatar
      MAINTAINERS: rt2x00 list is moderated · 83fc9c89
      Bartlomiej Zolnierkiewicz authored
      Cc: users@rt2x00.serialmonkey.com
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <bzolnier@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      83fc9c89
    • Roel Kluin's avatar
      airo: Reorder tests, check bounds before element · 30bd5726
      Roel Kluin authored
      Test whether index is within bounds before reading the element
      Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      30bd5726
    • Björn Smedman's avatar
      mac80211: fix for incorrect sequence number on hostapd injected frames · 9b1ce526
      Björn Smedman authored
      When hostapd injects a frame, e.g. an authentication or association
      response, mac80211 looks for a suitable access point virtual interface
      to associate the frame with based on its source address. This makes it
      possible e.g. to correctly assign sequence numbers to the frames.
      
      A small typo in the ethernet address comparison statement caused a
      failure to find a suitable ap interface. Sequence numbers on such
      frames where therefore left unassigned causing some clients
      (especially windows-based 11b/g clients) to reject them and fail to
      authenticate or associate with the access point. This patch fixes the
      typo in the address comparison statement.
      Signed-off-by: default avatarBjörn Smedman <bjorn.smedman@venatech.se>
      Reviewed-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      9b1ce526
    • Holger Schurig's avatar
      libertas spi: fix sparse errors · d18ba452
      Holger Schurig authored
      This fixes the following sparse warnings:
      
      $ make modules SUBDIRS=drivers/net/wireless/libertas C=1 CF=-D__CHECK_ENDIAN__
      make: Entering directory `/usr/src/linux-wl'
        CHECK   drivers/net/wireless/libertas/if_spi.c
      drivers/net/wireless/libertas/if_spi.c:137:16: warning: incorrect type in initializer (different base types)
      drivers/net/wireless/libertas/if_spi.c:137:16:    expected unsigned short [unsigned] [usertype] reg_out
      drivers/net/wireless/libertas/if_spi.c:137:16:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:191:16: warning: incorrect type in initializer (different base types)
      drivers/net/wireless/libertas/if_spi.c:191:16:    expected unsigned short [unsigned] [usertype] reg_out
      drivers/net/wireless/libertas/if_spi.c:191:16:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:256:24: warning: incorrect type in argument 1 (different base types)
      drivers/net/wireless/libertas/if_spi.c:256:24:    expected restricted __le32 const [usertype] *p
      drivers/net/wireless/libertas/if_spi.c:256:24:    got unsigned int *<noident>
      drivers/net/wireless/libertas/if_spi.c:243:24: warning: incorrect type in argument 1 (different base types)
      drivers/net/wireless/libertas/if_spi.c:243:24:    expected restricted __le16 const [usertype] *p
      drivers/net/wireless/libertas/if_spi.c:243:24:    got unsigned short *<noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:243:24: warning: incorrect type in argument 1 (different base types)
      drivers/net/wireless/libertas/if_spi.c:243:24:    expected restricted __le16 const [usertype] *p
      drivers/net/wireless/libertas/if_spi.c:243:24:    got unsigned short *<noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:243:24: warning: incorrect type in argument 1 (different base types)
      drivers/net/wireless/libertas/if_spi.c:243:24:    expected restricted __le16 const [usertype] *p
      drivers/net/wireless/libertas/if_spi.c:243:24:    got unsigned short *<noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:243:24: warning: incorrect type in argument 1 (different base types)
      drivers/net/wireless/libertas/if_spi.c:243:24:    expected restricted __le16 const [usertype] *p
      drivers/net/wireless/libertas/if_spi.c:243:24:    got unsigned short *<noident>
      drivers/net/wireless/libertas/if_spi.c:243:24: warning: incorrect type in argument 1 (different base types)
      drivers/net/wireless/libertas/if_spi.c:243:24:    expected restricted __le16 const [usertype] *p
      drivers/net/wireless/libertas/if_spi.c:243:24:    got unsigned short *<noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:171:7: warning: incorrect type in assignment (different base types)
      drivers/net/wireless/libertas/if_spi.c:171:7:    expected unsigned short [unsigned] [usertype] buff
      drivers/net/wireless/libertas/if_spi.c:171:7:    got restricted __le16 [usertype] <noident>
      drivers/net/wireless/libertas/if_spi.c:243:24: warning: incorrect type in argument 1 (different base types)
      drivers/net/wireless/libertas/if_spi.c:243:24:    expected restricted __le16 const [usertype] *p
      drivers/net/wireless/libertas/if_spi.c:243:24:    got unsigned short *<noident>
      Signed-off-by: default avatarHolger Schurig <hs4233@mail.mn-solutions.de>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      d18ba452
    • Andrey Yurovsky's avatar
      mac80211: trivial: fix spelling in mesh_hwmp · f99288d1
      Andrey Yurovsky authored
      Fix a typo in the description of hwmp_route_info_get(), no function
      changes.
      Signed-off-by: default avatarAndrey Yurovsky <andrey@cozybit.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      f99288d1
    • Johannes Berg's avatar
      cfg80211: sme: deauthenticate on assoc failure · 7d930bc3
      Johannes Berg authored
      When the in-kernel SME gets an association failure from
      the AP we don't deauthenticate, and thus get into a very
      confused state which will lead to warnings later on. Fix
      this by actually deauthenticating when the AP indicates
      an association failure.
      
      (Brought to you by the hacking session at Kernel Summit 2009 in Tokyo,
      Japan. -- JWL)
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      7d930bc3
    • Johannes Berg's avatar
      mac80211: keep auth state when assoc fails · 2ef6e444
      Johannes Berg authored
      When association fails, we should stay authenticated,
      which in mac80211 is represented by the existence of
      the mlme work struct, so we cannot free that, instead
      we need to just set it to idle.
      
      (Brought to you by the hacking session at Kernel Summit 2009 in Tokyo,
      Japan. -- JWL)
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      2ef6e444
    • Reinette Chatre's avatar
      mac80211: fix ibss joining · d419b9f0
      Reinette Chatre authored
      Recent commit "mac80211: fix logic error ibss merge bssid check" fixed
      joining of ibss cell when static bssid is provided. In this case
      ifibss->bssid is set before the cell is joined and comparing that address
      to a bss should thus always succeed. Unfortunately this change broke the
      other case of joining a ibss cell without providing a static bssid where
      the value of ifibss->bssid is not set before the cell is joined.
      
      Since ifibss->bssid may be set before or after joining the cell we do not
      learn anything by comparing it to a known bss. Remove this check.
      Signed-off-by: default avatarReinette Chatre <reinette.chatre@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      d419b9f0
    • Miguel Boton's avatar
      b43: add 'struct b43_wl' missing declaration · e6693eab
      Miguel Boton authored
      'struct b43_wl' declaration is missing at 'leds.h'.
      It should be declared to avoid getting some GCC warnings at 'b43_leds_unregister'.
      Signed-off-by: default avatarMiguel Botón <mboton@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      e6693eab
    • Larry Finger's avatar
      b43: Fix Bugzilla #14181 and the bug from the previous 'fix' · d50bae33
      Larry Finger authored
      "b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported
      in Bugzilla No. 14181; however, it introduced a new bug. Whenever the
      radio switch was turned off, it was necessary to unload and reload
      the driver for it to recognize the switch again.
      
      This patch fixes both the original bug in #14181 and the bug introduced by
      the previous patch. It must be stated, however, that if there is a BCM4306/3
      with an rfkill switch (not yet proven), then the driver will need an
      unload/reload cycle to turn the device back on.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      d50bae33
    • Benoit PAPILLAULT's avatar
    • Nobuhiro Iwamatsu's avatar
      sh_eth: Add asm/cacheflush.h · f568a926
      Nobuhiro Iwamatsu authored
      Add include asm/cacheflush.h,  because declaration of __flush_purge_region
      moved to asm/cacheflush.h.
      Signed-off-by: default avatarNobuhiro Iwamatsu <iwamatsu@nigauri.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f568a926
  4. 26 Oct, 2009 9 commits
  5. 24 Oct, 2009 4 commits
  6. 23 Oct, 2009 9 commits