1. 28 Nov, 2012 2 commits
    • Tommi Rantala's avatar
      sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall · 6e51fe75
      Tommi Rantala authored
      Consider the following program, that sets the second argument to the
      sendto() syscall incorrectly:
      
       #include <string.h>
       #include <arpa/inet.h>
       #include <sys/socket.h>
      
       int main(void)
       {
               int fd;
               struct sockaddr_in sa;
      
               fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
               if (fd < 0)
                       return 1;
      
               memset(&sa, 0, sizeof(sa));
               sa.sin_family = AF_INET;
               sa.sin_addr.s_addr = inet_addr("127.0.0.1");
               sa.sin_port = htons(11111);
      
               sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
      
               return 0;
       }
      
      We get -ENOMEM:
      
       $ strace -e sendto ./demo
       sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)
      
      Propagate the error code from sctp_user_addto_chunk(), so that we will
      tell user space what actually went wrong:
      
       $ strace -e sendto ./demo
       sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)
      
      Noticed while running Trinity (the syscall fuzzer).
      Signed-off-by: default avatarTommi Rantala <tt.rantala@gmail.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e51fe75
    • Tommi Rantala's avatar
      sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails · be364c8c
      Tommi Rantala authored
      Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
      reproducible e.g. with the sendto() syscall by passing invalid
      user space pointer in the second argument:
      
       #include <string.h>
       #include <arpa/inet.h>
       #include <sys/socket.h>
      
       int main(void)
       {
               int fd;
               struct sockaddr_in sa;
      
               fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
               if (fd < 0)
                       return 1;
      
               memset(&sa, 0, sizeof(sa));
               sa.sin_family = AF_INET;
               sa.sin_addr.s_addr = inet_addr("127.0.0.1");
               sa.sin_port = htons(11111);
      
               sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
      
               return 0;
       }
      
      As far as I can tell, the leak has been around since ~2003.
      Signed-off-by: default avatarTommi Rantala <tt.rantala@gmail.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be364c8c
  2. 26 Nov, 2012 4 commits
  3. 24 Nov, 2012 4 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 194d9831
      Linus Torvalds authored
      Pull sound build error fix from Takashi Iwai:
       "Only a single commit for fixing the build error without CONFIG_PM in
        hda driver."
      
      * tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Fix build without CONFIG_PM
      194d9831
    • Takashi Iwai's avatar
      ALSA: hda - Fix build without CONFIG_PM · d846b174
      Takashi Iwai authored
      I forgot this again...  codec->in_pm is in #ifdef CONFIG_PM
      Reported-by: default avatarMarkus Trippelsdorf <markus@trippelsdorf.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d846b174
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 2654ad44
      Linus Torvalds authored
      Pull x86 arch fixes from Peter Anvin:
       "Here is a collection of fixes for 3.7-rc7.  This is a superset of
        tglx' earlier pull request."
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86-64: Fix ordering of CFI directives and recent ASM_CLAC additions
        x86, microcode, AMD: Add support for family 16h processors
        x86-32: Export kernel_stack_pointer() for modules
        x86-32: Fix invalid stack address while in softirq
        x86, efi: Fix processor-specific memcpy() build error
        x86: remove dummy long from EFI stub
        x86, mm: Correct vmflag test for checking VM_HUGETLB
        x86, amd: Disable way access filter on Piledriver CPUs
        x86/mce: Do not change worker's running cpu in cmci_rediscover().
        x86/ce4100: Fix PCI configuration register access for devices without interrupts
        x86/ce4100: Fix reboot by forcing the reboot method to be KBD
        x86/ce4100: Fix pm_poweroff
        MAINTAINERS: Update email address for Robert Richter
        x86, microcode_amd: Change email addresses, MAINTAINERS entry
        MAINTAINERS: Change Boris' email address
        EDAC: Change Boris' email address
        x86, AMD: Change Boris' email address
      2654ad44
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20121123' of git://git.infradead.org/mtd-2.6 · 35f95d22
      Linus Torvalds authored
      Pull MTD fixes from David Woodhouse:
       "The most important part of this is that it fixes a regression in
        Samsung NAND chip detection, introduced by some rework which went into
        3.7.  The initial fix wasn't quite complete, so it's in two parts.  In
        fact the first part is committed twice (Artem committed his own copy
        of the same patch) and I've merged Artem's tree into mine which
        already had that fix.
      
        I'd have recommitted that to make it somewhat cleaner, but figured by
        this point in the release cycle it was better to merge *exactly* the
        commits which have been in linux-next.
      
        If I'd recommitted, I'd also omit the sparse warning fix.  But it's
        there, and it's harmless — just marking one function as 'static' in
        onenand code.
      
        This also includes a couple more fixes for stable: an AB-BA deadlock
        in JFFS2, and an invalid range check in slram."
      
      * tag 'for-linus-20121123' of git://git.infradead.org/mtd-2.6:
        mtd: nand: fix Samsung SLC detection regression
        mtd: nand: fix Samsung SLC NAND identification regression
        jffs2: Fix lock acquisition order bug in jffs2_write_begin
        mtd: onenand: Make flexonenand_set_boundary static
        mtd: slram: invalid checking of absolute end address
        mtd: ofpart: Fix incorrect NULL check in parse_ofoldpart_partitions()
        mtd: nand: fix Samsung SLC NAND identification regression
      35f95d22
  4. 23 Nov, 2012 27 commits
  5. 22 Nov, 2012 3 commits
    • Marek Vasut's avatar
      i2c: mxs: Handle i2c DMA failure properly · 958f9889
      Marek Vasut authored
      Properly terminate the DMA transfer in case the DMA PIO transfer
      or setup fails for any reason.
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Signed-off-by: default avatarWolfram Sang <w.sang@pengutronix.de>
      958f9889
    • Julian Anastasov's avatar
      ipv4: do not cache looped multicasts · 63617421
      Julian Anastasov authored
      	Starting from 3.6 we cache output routes for
      multicasts only when using route to 224/4. For local receivers
      we can set RTCF_LOCAL flag depending on the membership but
      in such case we use maddr and saddr which are not caching
      keys as before. Additionally, we can not use same place to
      cache routes that differ in RTCF_LOCAL flag value.
      
      	Fix it by caching only RTCF_MULTICAST entries
      without RTCF_LOCAL (send-only, no loopback). As a side effect,
      we avoid unneeded lookup for fnhe when not caching because
      multicasts are not redirected and they do not learn PMTU.
      
      	Thanks to Maxime Bizon for showing the caching
      problems in __mkroute_output for 3.6 kernels: different
      RTCF_LOCAL flag in cache can lead to wrong ip_mc_output or
      ip_output call and the visible problem is that traffic can
      not reach local receivers via loopback.
      Reported-by: default avatarMaxime Bizon <mbizon@freebox.fr>
      Tested-by: default avatarMaxime Bizon <mbizon@freebox.fr>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      63617421
    • David S. Miller's avatar
      Merge branch 'master' of git://1984.lsi.us.es/nf · 84ec95b0
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      The following patchset contains two Netfilter fixes:
      
      * Fix buffer overflow in the name of the timeout policy object
        in the cttimeout infrastructure, from Florian Westphal.
      
      * Fix a bug in the hash set in case that IP ranges are
        specified, from Jozsef Kadlecsik.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84ec95b0